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Authors' Abstract 



A rigorous modular specification method requires a proof rule asserting that 
if each component behaves correctly in isolation, then it behaves correctly in 
concert with other components. Such a rule is subtle because a component 
need behave correctly only when its environment does, and each component 
is part of the others' environments. We examine the precise distinction 
between a system and its environment, and provide the requisite proof rule 
when modules are specified with safety and liveness properties. 
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1 Introduction 



In the transition-axiom method, concurrent systems are specified by com- 
bining abstract programs and temporal logic [Lam89]. The method permits 
a hierarchical approach in which the composition of lower-level specifications 
is proved to implement a higher-level specification. In [AL91], we described 
how to prove that one specification implements another. Here, we examine 
how to compose specifications. We work at the semantic level, independent 
of any particular specification language or logic. Thus, our results can be 
applied to a number of approaches besides the transition-axiom method — 
for example, to Lam and Shankar's method of projections [LS84a], and to 
the I/O automata of Lynch and Tuttle [LT87]. 

Composition makes sense only for systems that interact with their envi- 
ronments. Such a system will behave properly only if its environment does. 
A Pascal program may behave quite improperly if a read(x) statement re- 
ceives from the I/O system a value not allowed by the type of x. A circuit 
may exhibit bizarre behavior if, instead of a 0 or a 1, an input line provides 
a "1/2" — that is, if the input line has an improper voltage level. A proper 
specification of an interactive system II asserts that the system guarantees 
a property M only under the assumption that its environment satisfies some 
property E. 

The fundamental problem of composing specifications is to prove that a 
composite system satisfies its specification if all its components satisfy their 
specifications. Consider a system II that is the composition of systems 
III, ■ ■ ■ i n n . We must prove that II guarantees a property M under an 
environment assumption E, assuming that each II i satisfies a property Mi 
under an environment assumption E{. Observe that: 

1. We expect II to guarantee M only because of the properties guaran- 
teed by its components. Therefore, we must be able to infer that II 
guarantees M from the assumption that each II i guarantees M 4 -. 

2. The component II \ guarantees Mi only under the assumption that 
its environment satisfies E{\ and II environment consists of lis 
environment together with all the other components II j. We must 
therefore be able to infer E{ from the environment assumption E and 
the component guarantees Mj. 

These observations lead to the following principle. 
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Composition Principle Let II be the composition of TI\, . . . , II n , and 

let the following conditions hold. 

1. II guarantees M if each component II \ guarantees M{. 

2. The environment assumption E{ of each component II i is satisfied if 
the environment of II satisfies E and every II j satisfies Mj . 

3. Every component II \ guarantees Mi under environment assumption E{. 

Then II guarantees M under environment assumption E. 

The reasoning embodied by the Composition Principle is circular. To prove 
that every E{ holds, we assume that every M 4 - holds; but Mi holds only under 
the assumption that Ei holds. So, it is not surprising that the principle is 
not always valid. We will show that the principle is valid under suitably 
weak hypotheses, and that it provides a satisfactory rule for composing 
specifications. 

Before embarking on a rigorous development of the Composition Princi- 
ple, we consider some examples. We begin with partial-correctness specifi- 
cations of sequential programs. The Hoare triple {P}II{Q} can be viewed 
as an assertion that II guarantees M under environment assumption E, 
where M asserts that II terminates only when Q is true, and E asserts that 
II is started (by some action of the environment) only when P is true. The 
Composition Principle is valid for such specifications, and it is the basis for 
the standard composition rules of Hoare logic. For example, consider the 
following rule, where II is the sequential composition J7i;i7 2 of TI\ and 

n>. 

P^Pi, {P 1 }n 1 {Q 1 }, Qi^P 2 , {P 2 }i7 2 {Q 2 }, Q 2 ^Q 

{P}n{Q} 

The hypotheses of this rule imply the three conditions of the Composition 
Principle: 

1. Q 2 =>■ Q: If II 2 guarantees M 2 , then II guarantees M. 

2. P =>■ Pi: If the environment of II satisfies E, then the environment 
assumption E\ of TI\ is satisfied. 

Qi =>■ P 2 : If IIi guarantees Mi, then the environment assumption P 2 
of J7 2 is satisfied. 
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3. {Pi}IIi{Qi}: JJ{ guarantees M 4 - under environment assumption E{. 

The principle's conclusion, that II satisfies M under environment assump- 
tion E, is the conclusion {P}II{Q} of the proof rule. 

We now consider reactive systems [HP85]. The interaction of a reac- 
tive system with its environment cannot be expressed simply by pre- and 
postconditions. For example, suppose the environment passes values to the 
system through a register r. If reading and writing r are not atomic opera- 
tions, then the system and its environment must obey a protocol to insure 
the correct passing of values. If the environment does not obey the protocol, 
then the system could read r while it is being written and obtain completely 
arbitrary values — for example, values with incorrect types. The system can 
therefore be expected to guarantee a property M only under the assumption 
that the environment obeys a communication protocol, and such a protocol 
cannot be specified simply in terms of a precondition. 

When we try to extend the Composition Principle beyond simple partial- 
correctness properties, we find that its validity depends on the precise nature 
of the properties being guaranteed and assumed. Consider the situation 
depicted in Figure 1, where a split wire indicates that the same value is 
sent to two different destinations. Suppose II \ and II 2 have the following 
specifications. 

• IIi guarantees that it never sends a "1" on outl, assuming that its 
environment never sends it a "2" on inl. 

• II2 guarantees that it never sends a "2" on out 2, assuming that its 
environment never sends it a "1" on in2. 

System iTi's guarantee Mi, that it never sends a "1" on its output wire, 
implies II 2's assumption E2, that its environment never sends it a "1". 
Similarly, II 2's guarantee M2 implies JTi's environment assumption E\. 
Hence, condition 2 of the Composition Principle holds. We deduce from the 
principle that if each component II \ guarantees M 4 - under assumption Ei, 
then their composition II guarantees the property M, that it never sends 
a "1" on outl and never sends a "2" on out 2. (There is no environment 
assumption E because II has no inputs, so its behavior is independent of 
its environment.) This deduction is valid. For example, suppose J7i does 
nothing unless it receives a "2" on inl, whereupon it sends a "1" on outl; and 
II2 behaves symmetrically. Each IIi then guarantees M 4 - under assumption 
Ei, and the composite system II, which does nothing, guarantees M. 
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Now consider what happens if we modify these specifications by replacing 
"never" with "eventually", obtaining: 

• IIi guarantees that it eventually sends a "1" on outl, assuming that 
its environment eventually sends it a "2" on inl. 

• II2 guarantees that it eventually sends a "2" on out 2, assuming that 
its environment eventually sends it a "1" on in2. 

Again, the property Mi guaranteed by each J7 8 implies that the other's 
environment assumption Ej is satisfied. This time, the Composition Prin- 
ciple leads to the conclusion that II guarantees eventually to send a "1" on 
outl and eventually to send a "2" on out 2. This conclusion is invalid. The 
two systems described above, which send the appropriate output only after 
receiving the appropriate input, satisfy the modified specifications. Their 
composition, which does nothing, does not fulfill the guarantee implied by 
the Composition Principle. 

Replacing "never" with "eventually" changed the guarantees Mi and the 
environment assumptions Ei from safety properties to liveness properties. 
Intuitively, a safety property asserts that something bad does not hap- 
pen, while a liveness property asserts that something good eventually does 
happen. (Safety and liveness are defined formally in Section 2.) For most 
methods of describing and composing systems, the Composition Principle is 
valid if all guarantees and assumptions are safety properties. Various spe- 
cial cases of this result have appeared, in different guises. Its most familiar 
incarnation is in the inference rules for partial-correctness specifications; the 
guarantees and assumptions of such specifications are safety properties. The 
Composition Principle for safety properties is also embodied in a proof rule 
of Misra and Chandy [MC81] for processes communicating by means of CSP 
primitives. 

Specifications that involve only safety properties are not very satisfy- 
ing, since any safety property is satisfied by a system that does noth- 
ing. Liveness properties must be added to rule out trivial implementations. 
Pnueli [Pnu84], considering a different class of programs, gave a more gen- 
eral proof rule than that of Misra and Chandy. Pnueli's rule handles liveness 
properties, but unlike our Composition Principle, it requires an explicit in- 
duction step. Stark [Sta85] proposed another general proof rule. Stark's 
method handles liveness properties at the cost of requiring the discovery 
of a set of auxiliary assertions that explicitly break the circularity of the 
Composition Principle. 
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Our main result, Theorem 2 of Section 5.3, provides a formal statement 
of the Composition Principle. Its main hypothesis is that the environment 
assumptions are safety properties. The properties guaranteed by the system 
and its components need not be safety properties; they can include liveness. 
Theorem 1 of Section 4.3 shows that any specification satisfying a certain 
reasonable hypothesis is equivalent to a specification whose environment as- 
sumption is a safety property. These theorems are the fruit of a detailed 
examination of the distinction between a system and its environment, pre- 
sented in Sections 3 and 4. 

Our Composition Principle is extremely general. It does not assume any 
particular language or logic for writing specifications. It applies equally to 
specifications of Ada programs, microcode, and digital circuits. Formalizing 
our result in such generality requires concepts that may seem odd to readers 
accustomed to language-based models of computation. The rest of Section 1 
introduces these concepts and relates them to other approaches that some 
readers may find more familiar. Precise definitions appear in Section 2. 

A glossary of notation and conventions appears at the end. 

1.1 States versus Actions 

The popular approaches to specification are based on either states or ac- 
tions. In a state-based approach, an execution of a system is viewed as a 
sequence of states, where a state is an assignment of values to some set of 
components. An action-based approach views an execution as a sequence 
of actions. These different approaches are, in some sense, equivalent. An 
action can be modeled as a state change, and a state can be modeled as an 
equivalence class of sequences of actions. However, the two approaches have 
traditionally taken very different formal directions. State-based approaches 
are often rooted in logic, a specification being a formula in some logical 
system. Action-based approaches have tended to use algebra, a specifica- 
tion being an object that is manipulated algebraically. Milner's CCS is the 
classic example of an algebraic formalism [Mil80]. 

State-based and action-based approaches also tend to differ in practice. 
To specify keyboard input using an action-based approach, the typing of a 
single character might be represented as a single action. In a state-based 
approach, it might have to be represented by two separate state changes: 
the key is first depressed and then released. An action-based representation 
often appears simpler — pressing a key is one action instead of two state 
changes. But this simplicity can be deceptive. A specification in which 
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typing a character is a single action does not provide for the real situation 
in which a second key is depressed before the first is released. We have no 
reason to expect actions to be simpler than states for accurately describing 
real systems. We have found that a state-based approach forces a close 
examination of how the real system is represented in the model, helping 
to avoid oversimplification. On the other hand, there are circumstances in 
which oversimplified models are useful. 

We adopt a state-based approach and use the term "action" informally 
to mean a state change. 

1.2 System versus Environment 

We view a specification as a formal description of the interface between the 
system and its environment. A state completely describes the state of the 
interface at some instant. 

It is necessary to distinguish actions performed by the system from ones 
performed by the environment. For example, consider the specification of 
a clock circuit whose output is an increasing sequence of values; the circuit 
does not change the clock value until the environment has acknowledged 
reading it. The specification might include state components clock and ack, 
with a correct behavior consisting of a sequence of actions that alternately 
increment clock and complement ack. 

Now, consider an "anti-clock", which is a circuit that assumes its en- 
vironment (the rest of the circuit) provides a clock. The anti-clock issues 
acknowledgements and expects the environment to change the clock. The 
clock and anti-clock both display the same sequence of states — that is, the 
same sequence of clock and ack values — but they are obviously different 
systems. To distinguish them, we must specify not only what state changes 
may occur, but also which state changes are performed by the system and 
which by the environment. 

An action-based formalism could simply partition the actions into system 
and environment actions. Formalisms based on joint system/environment 
actions require more subtle distinctions, such as between "internal" and "ex- 
ternal" nondeterminism, or between the l~l and D operators of CSP [Hoa85]. 

In a state-based formalism, the easiest way to distinguish system actions 
from environment actions is to partition the state components into input and 
output components and require that the values of an input and an output 
component cannot both change at once. We can then declare that changes 
to output components are performed by the system and changes to input 
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components are performed by the environment. 

This method of partitioning the state components is not as flexible as we 
would like. For example, we might want to specify an individual assignment 
statement x := x + 1 as a system whose environment is the rest of the 
program in which it appears. Since x can be modified by other parts of the 
program, it is both an input and an output component for this system. In 
general, we want to allow module boundaries to be orthogonal to process 
boundaries [Lam84], so modules need not communicate only by means of 
simple input and output variables. 

Instead of partitioning state components, we assume that each state 
change is performed by some "agent" and partition the set of agents into 
environment agents and system agents. A system execution is modeled as 
a behavior; which is a sequence of alternating states and agents, each agent 
being responsible for the change into the next state. 

1.3 Specifying the System and its Environment 

The specification of a system II asserts that II guarantees a property M 
under the assumption that its environment satisfies some property E. We 
will formally define a property to be a set of behaviors, so an execution of 
II satisfies property P if and only if the behavior (a sequence of states and 
agents) that represents the execution is an element of P. The specification 
of II is the property E =>■ M , which is the set of all behaviors that are in M 
or not in E. A behavior satisfies this specification if it satisfies M or fails to 
satisfy E. The system II satisfies the specification E =>■ M if all behaviors 
representing executions of II are elements of E =>■ M. 

It is important to realize that E is an assumption about the environment, 
not a constraint placed on it. The environment cannot be constrained or 
controlled by the system. The system cannot prevent the user from depress- 
ing two keys at the same time. We can include in E the assumption that 
the user does not press two keys at once, but this means that the system 
guarantees to behave properly only if the user presses one key at a time. 
A specification that requires the user not to press two keys at once cannot 
be implemented unless the system can control what the user does with his 
fingers. This distinction between assumption and requirement is central to 
our results and is addressed formally in Section 3. 

Our definition of a property as a set of behaviors means that we can 
determine whether or not a system satisfies a specification by examining 
each possible system execution by itself, without having to examine the 
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set of all possible executions at once. For example, we can specify that the 
system's average response time be less than one millisecond in any execution 
containing at least 10,000 requests, where the average is over all responses 
in a single execution. However, we cannot specify an average response time 
where the average is over all possible executions. 

1.4 Composition and Proof 

In a modular specification method, one proves that the composition of lower- 
level systems implements a higher-level one. Section 5.2 explains how the 
refinement-mapping method described in [AL91] can be used to prove that 
a specification of the form E =>■ M implements a higher-level specification 
of the same form. 

In our approach, composition is conjunction. Therefore, the composition 
of two systems with specifications E\ =>■ M\ and Ei =>■ Mi satisfies their 
conjunction, {E\ =>■ M\) A (E2 =>■ M2). To prove that this composition 
implements a specification E =>■ M, we first use the Composition Principle 
to show that it satisfies the specification E =>■ Mi A Mi- We can then use 
the method described in [AL91] to prove that E =>■ M\ A M2 implements 
E => M. 

Theorem 2 (our formal statement of the Composition Principle) and 
Proposition 12 of Section 5.3 allow us to conclude that if E A M2 implies the 
environment assumption E\, and E A Mi implies the environment assump- 
tion E2, then the composition of systems satisfying E\ =>■ M\ and E% =>■ M2 
is a system satisfying E =>■ M\ AM2. The circularity of such a deduction was 
already observed in the examples based on Figure 1. Those examples had 
E identically true, E\ = M2, and E% = Mi; and the Composition Principle 
permitted us to deduce Mi A M2 from Mi =>■ M2 and M2 =>■ Mi . Theorem 2 
and Proposition 12 imply that this apparently absurd deduction is valid, the 
major hypothesis being that E, E\, and E% are safety properties. Theorem 1 
of Section 4 shows that this is a reasonable hypothesis. 

Our Composition Principle applies in cases where E =>■ M excludes 
behaviors allowed by the specifications E{ =>■ Mi, so E =>■ M cannot be 
deduced logically from the properties E{ =>■ M{. The principle is sound 
because the excluded behaviors do not correspond to executions produced 
by any components satisfying E{ =>■ M; — for example, behaviors in which the 
environment chooses to violate E{ only after the component has violated M{. 
Thus, the Composition Principle can be valid despite its apparent logical 
circularity. 
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1.5 Semantics versus Logic 



In the transition-axiom method, a specification is a logical formula that 
describes a set of behaviors. Instead of stating our results for the partic- 
ular temporal logic on which transition axioms are based, we take a more 
general semantic view in which a specification is a set of behaviors. The 
relation between logic and semantics is indicated by the following list of log- 
ical formulas and their corresponding semantic objects. The symbols P and 
Q denote formulas (logical view) and their corresponding sets of behaviors 
(semantic view), and T denotes the set of all behaviors. 

Logic Semantics Logic Semantics 

-nP T - P |=PP = T 

paq PnQ \=p=>q peg 

P^Q (T-P)UQ 
Our semantic model is described in the following section. 



2 The Semantic Model 

We now define the semantic concepts on which our results are based. Most 
of these concepts have appeared before, so they are described only briefly; 
the reader can consult the cited sources for more complete discussions. 

States 

A state is an element of a nonempty set S of states. Except where stated 
otherwise, we assume that S is fixed. A state predicate, sometimes called an 
S-predicate, is a subset of the set S of states. 

We think of an element of S as representing the state, at some instant, 
of the relevant universe — that is, of the interfaces of all the systems under 
consideration. A specification should describe only what is externally visible, 
so elements of S represent only the state of the interfaces and not of any 
internal mechanisms. 

Agents 

We assume a nonempty set A of agents. If fj, is a set of agents, then -i/i 
denotes the set A — fj, of agents. An agent set ^ is a subset of A such 
that neither fj, nor -i/i is empty. This terminology may seem confusing, 
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since an arbitrary set of agents is not the same as an agent set. The empty 
set of agents 0 and the full set of agents A turn out to be anomalous for 
uninteresting technical reasons; sometimes we unobtrusively exclude these 
anomalous cases by considering only agent sets. 

We think of the elements of A as the entities responsible for changing the 
state. A specification describes what it means for a set of agents fj, to form 
a correctly operating system — in other words, what it means for a behavior 
to be correct when the agents in fj, are considered to form the system and 
the agents in -i/i are considered to form the environment. 

In describing a system, the particular agent that performs an action is 
not important; what matters is whether the agent belongs to the system or 
the environment. Thus, if we are dealing with a single specification, we could 
assume just two agents, a system agent and an environment agent, as was 
done by Barringer, Kuiper, and Pnueli in [BKP86] and by us in [ALW89]. 
However, for composing specifications, one needs more general sets of agents, 
as introduced in [Lam83a] (where agents were called "actions"). 

It may help the reader to think of the agents as elementary circuit com- 
ponents or individual machine-language instructions. However, the actual 
identity of the individual agents never matters. 

Behaviors 

A behavior prefix is a sequence 



where each s 4 - is a state and each a 4 - is an agent, and the sequence is either 
infinite or else ends in a state s m for some m > 0. A behavior is an infinite 
behavior prefix. If a is the behavior prefix (1), then Sj-(ct) denotes s 4 - and 
a 8 '(<7) denotes a 4 -. For a behavior <7, we let a\ m denote the finite prefix of a 
ending with the m th state s m (<r), for m > 0. We sometimes use the term 
S-behavior to indicate that the states in the behavior are elements of S. 

A behavior represents a possible complete history of the relevant uni- 
verse, starting at some appropriate time. As usual in state-based approaches, 
we adopt an interleaving semantics, in which the evolution of the universe is 
broken into atomic actions (state changes), and concurrent actions are con- 
sidered to happen in some arbitrary order. A step —-^ s 4 - of a behavior 
denotes an action in which agent a 4 - changes the state of the universe from 
Si_i to Si. Steps in our formalism correspond to the actions of action-based 
formalisms. 



s 0 — 




s 2 — 
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Stuttering-Equivalence 

If fi is any set of agents, then a ^-stuttering step is a sequence s — —> s with 
a £ /i. If (7 is a behavior prefix, then t^u is defined to be the behavior prefix 
obtained from a by replacing every maximal (finite or infinite) sequence 
s — ^ s — s ... of //-stuttering steps with the single state s. Two behavior 
prefixes a and r are said to be /^-stuttering-equivalent, written a ~^ r, iff (if 
and only if) \ il o = . When fj, equals A, we write a ~ r instead of a r 
and stuttering- equivalent instead of A-stuttering-equivalent. If a is a finite 
behavior prefix, then a is defined to be some arbitrary behavior such that 
a ~ a and cr| m = a for some to. (The precise choice of a, which involves 
choosing which agents perform the infinite number of stuttering steps that 
must be added to a, does not matter.) 

A state describes the state of the entire relevant universe, and a stutter- 
ing step does not change the state, so a stuttering step has no observable 
effect. Therefore, two behaviors that are stuttering-equivalent should be 
indistinguishable. A useful way to think about stuttering is to imagine 
that a state in S describes only the observable parts of the universe, and 
that there are also unobservable, internal state components of the various 
objects that make up the universe. A stuttering step represents a step in 
which some object changes only its internal state. As explained in [Lam83b] 
and [Lam89], considering stuttering-equivalent behaviors to be equivalent 
allows the hierarchical decomposition of specifications by refining the grain 
of atomicity. 

If a is a finite behavior prefix, then a is obtained from a by adding an 
infinite number of stuttering steps. The behavior a represents a history of 
the universe in which all externally observable activity ceases after a finite 
number of steps. (For example, a computer that has halted continues to 
take stuttering steps because its internal clock keeps ticking.) 

Properties 

A property P is a set of behaviors that is closed under stuttering-equivalence, 
meaning that for any behaviors a and r, if a ~ r then a £ P iff r £ P. We 
sometimes call P an S-property to indicate that it is a set of S-behaviors. A 
state predicate / is considered to be the property such that a £ / iff so(<r) £ 
/. For properties P and Q, we define P =>■ Q to be the property (->P) U Q, 
where -i denotes complementation in the set of all behaviors. In formulas, 
=>■ has lower precedence than fl, so P fl Q =>■ R denotes (P fl Q) =>■ R. 
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A property P is a safety property iff it satisfies the following condition: 
a behavior a is in P iff a\ m £ P for aU m > 0. A property P is a Uveness 
property iff every finite behavior prefix is a prefix of a behavior in P. With 
a standard topology on the set of behaviors, a property is a safety property 
iff it is closed, and it is a liveness property iff it is dense [AS85]. It follows 
from elementary results of topology that every property is the conjunction 
of a safety property and a liveness property. The closure of a property P in 
this topology, written P, is the smallest safety property containing P. 

Property P is a safety property iff every behavior not in P has a fi- 
nite prefix that is not in P. Hence, a safety property is one that is finitely 
refutable. For any state predicate /, the property / depends only on the 
initial state, so it is a safety property. A property P is a liveness prop- 
erty iff every finite behavior prefix can be completed to a behavior in P. 
Hence, a liveness property is one that is never finitely refutable. Alpern and 
Schneider [AS85] discussed these definitions in more detail. 

For properties P and Q, we define P -t> Q to be the set of all behaviors a 
such that a\ m £ P =>■ Q for all m > 0. Thus, P -t> Q is the safety property 
asserting that Q cannot become false before P does. It follows from the 
definition that Q C (P -t> Q) C (P Q), for any properties P and Q. 

The specification of a system is the property consisting of all behaviors 
(histories of the relevant universe) in which the system is considered to 
perform correctly. 

//-Abstractness 

If // is a set of agents, then two behaviors a and r are 11- equivalent iff, for 
all i > 0: 

• Si(a) = s;(r) 

• a 8+ i((i) £ // iff a 8+ i(r) £ //. 

A set P of behaviors is ii- abstract iff, for any behaviors a and r that are 
//-equivalent, a £ P iff r £ P. 

Two behaviors are //-equivalent iff they would be the same if we replaced 
every agent in ^ by a single agent, and every agent not in ^ by a different 
single agent. A reasonable specification of a system does not describe which 
agent performs an action, only whether the action is performed by a system 
or an environment agent. Thus, if ^ is the set of system agents, then the 
specification should not distinguish between //-equivalent behaviors, so it 
should be a //-abstract property. 
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3 Realizability 



A specification of a system is a property P consisting of all behaviors in 
which the system performs correctly. Whether a behavior is allowed by 
the specification may depend upon the environment's actions as well as 
the system's actions. This dependence upon what the environment does is 
unavoidable, since the system cannot be expected to perform in a prescribed 
fashion if the environment does not behave correctly. However, the ability 
to specify the environment as well as the system gives us the ability to write 
specifications that constrain what the environment is allowed to do. Such 
a specification would require the system to control (or predict) what the 
environment will do; it would be unimplementable because the environment 
is precisely the part of the universe that the system cannot control. 

A specification should assert that the system performs properly if the 
environment does; it should not assert that the environment performs prop- 
erly. For example, assume that the environment is supposed to decrement 
some state component x. A specification (property) P asserting that the 
environment must decrement x would not be implementable because given 
any system, there is a possible universe containing the system whose be- 
havior is not in P — namely one in which the environment never decrements 
x. Hence, no system can satisfy the specification P. A specification of the 
system should allow all behaviors in which the environment never decre- 
ments x. 

A specification that is unimplementable because it constrains the en- 
vironment's actions is called unrealizable. (A specification may be unim- 
plementable for other reasons that do not concern us here — for example, 
because it requires the system to compute a noncomputable function.) We 
now define precisely what realizability means, and explore some of its im- 
plications for specifications. The definitions are almost identical to the ones 
in [AL91]. 

3.1 Safety Properties 

A safety property is finitely refutable, so if a behavior does not satisfy the 
property, then we can tell who took the step that violated it. More precisely, 
if P is a safety property and a behavior a is not in P, then there is some 
number m > 0 such that a\ m is not in P. If m is the smallest such number, 
then we can say that P was violated by the agent that performed the m th 
step of a, assuming m > 0. A safety property is defined to constrain only 
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the system iff the property can be violated only by system agents. 

We now formalize this definition. For any property P and behavior a, 
let V(P,(j) equal the smallest nonnegative integer to such that a\ m is not 
in P. (We leave V(P,a) undefined if there is no such to.) If ^ is an agent 
set, then a safety property P constrains at most ^ iff for all behaviors <7, if 
a ^ P then V(P, a) > 0 and a.y^p^(a) £ /2. 

3.2 Realizability of Arbitrary Properties 
3.2.1 Definitions 

To understand the general concept of realizability, it helps to think of a be- 
havior as the outcome of a two-person infinite game played by the system 
and the environment. The environment chooses the initial state, and then 
the environment and the system alternate moves to produce the behavior, 
with the environment taking the first move. An environment move consists 
of adding any finite number of steps performed by environment agents (pos- 
sibly zero steps); a system move consists of doing nothing or adding one 
step performed by a system agent. (A similar class of games was studied by 
Morton Davis [Dav64].) The system wins the game iff the resulting behavior 
prefix satisfies the specification or is finite. (Our informal discussion is sim- 
plified by considering the system to win games with finite outcomes, which 
do not correspond to the infinite behaviors of our formalism.) A specifica- 
tion is said to be realizable iff the system has a winning strategy — that is, iff 
the system can always win no matter what moves the environment makes. 

A specification is realizable if it has enough behaviors so that the system 
can win even if the environment plays as well as it can. A specification may 
also contain behaviors that are outcomes of games in which the environment 
had a chance to win but played badly and lost. A correct implementation 
can never allow such behaviors to occur because it can't count on the en- 
vironment playing badly. The realizable part of a specification is defined to 
consist only of those behaviors in which the environment never had a chance 
to win. An implementation that satisfies the specification can produce only 
behaviors in the realizable part. Hence, two specifications have the same 
implementations iff they have the same realizable parts. Two such specifi- 
cations are said to be equirealizable. We can replace a specification with an 
equirealizable one without changing the class of real systems that are being 
specified. 

The formal definitions of these concepts is based on the definition of 
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a strategy, which is a rule by which the system determines its next move. 
More precisely, a strategy is a partial function that determines the system's 
next step as a function of the behavior up to that point. It suffices to 
consider deterministic strategies, since the set of behaviors that result from 
a nondeterministic strategy is the union of the sets of behaviors produced 
by some set of deterministic strategies. In the following definitions, // is an 
arbitrary agent set. 

• A //- strategy f is a partial function from the set of finite behavior 
prefixes to // X S. (Intuitively, f(cr) = (ct,s) means that, if the system 
gets to move after play has produced a, then it adds s. If f(o~) is 
undefined, then the system chooses not to move.) 

• A /i-outcome of a //-strategy / is a behavior a such that for all m > 0, 
if a m (<r) G // then /(c| m _i) = (a m (<r), s m (<r)). A //-outcome a is fair 
iff a m+ i(<7) G // or a\ m is not in the domain of / for infinitely many 
values of m. (A //-outcome of / is one in which all the //-moves were 
produced by the strategy /. It is fair iff it could have been obtained 
by giving the system an infinite number of chances to move.) 

• If / is a //-strategy, then O^i f) is the set of all fair //-outcomes of /. 

• The /^-realizable part of a set P of behaviors, denoted IZ^P), is the 
union of all sets O^f ) such that / is a //-strategy and O^f ) C P. 
(Intuitively, IZ^P) is the set of fair outcomes that can be produced 
by correct implementations of P.) We show in Proposition 1 below 
that IZ^P) is a property if P is. 

• A property P is /^-realizable iff IZ^P) is nonempty. (A //-realizable 
property is one that has a correct implementation.) 

• Properties P and Q are /i-equirealizable iff IZ^P) = IZ^Q). (Equire- 
alizable properties have the same correct implementations.) 

• A property P is /i-receptive iff IZ^P) = P. (A //-receptive property 
includes only behaviors that can be produced by correct implementa- 
tions.) 

Stark studied a generalization of receptiveness, which he called local In- 
consistency in his thesis [Sta84]. The special case corresponding to our 
definition of receptiveness was not considered in the thesis, but did appear 
in his unpublished thesis proposal. Dill independently developed the notion 
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of receptiveness and introduced its name [Dil88]. In [ALW89], a concept 
of realizability was defined in which O^f ) included all outcomes, rather 
than just fair ones. By eliminating unfair outcomes, we are preventing the 
environment from ending the game by taking an infinite number of steps in 
a single move. Allowing such an infinite move, in which the environment 
prevents the system from ever taking another step, would produce a game 
that does not correspond to the kind of autonomous system that we are 
concerned with here. Our concept of realizability is similar but not identical 
to fair realizability as defined in [ALW89]. The difference between these two 
concepts is described below. 

3.2.2 Discussion of the Definitions 

The set O^f) is not in general a property; it can contain a behavior a and 
not contain a behavior a 1 that is stuttering-equivalent to a. Moreover, since 
the strategy / chooses specific agents, the set O^i f) is not //-abstract. How- 
ever, our definitions do insure that IZ^ preserves invariance under stuttering 
and //-abstractness. 

Proposition 1 For every agent set //, if P is a property then IZ^P) is a 
property, and if P is /^-abstract then IZ^P) is /^-abstract. 

The proofs of this and of our other results appear in the appendix. 

Our definition of strategies allows them to depend upon the presence or 
absence of stuttering. In other words, if / is a //-strategy, then f(cr) and /(r) 
can be different for two stuttering-equivalent prefixes a and r. This seems 
to contradict our assertion that stuttering-equivalent behaviors should be 
indistinguishable. If we think of a stuttering step as representing an exter- 
nally unobservable step of some object, then the system should certainly not 
be able to detect stuttering actions performed by the environment. Define 
/ to be invariant under -^i- stuttering iff a —^^ t implies f(cr) = /(t), for 
all finite behavior prefixes a and r. It would be more natural to add to 
the definition of a //-strategy / the requirement that / be invariant under 
-■//-stuttering. The following proposition shows that we could restrict our- 
selves to such strategies, and could even add the further requirement that 
the strategies be total functions. 

Proposition 2 For any agent set // and any property P, let S^P) be the 
subset of IZ^P) consisting of the union of all sets O^f) contained in P 
such that f is a total /^-strategy that is invariant under -^i- stuttering. Then 
every behavior in IZ^P) is stuttering-equivalent to a behavior in S^P). 
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We could thus define IZ^P) to be the closure of <S^(P) under stuttering- 
equivalence. Taking this closure would be necessary even if one of the two 
conditions — totality or invariance under -i//-stuttering — were dropped from 
the definition of S^P). It is therefore more convenient to allow arbitrary 
strategies in the definition of IZ^P). 

Although we could restrict ourselves to //-strategies that are invariant 
under -i//-stuttering, requiring strategies to be invariant under all stutter- 
ing, as in the definition of "fair realizability" of [ALW89], would materially 
change our definitions. A result in Stark's unpublished thesis proposal sug- 
gests that this restriction would not change the definition of realizability; but 
the following example shows that it would alter the definition of receptive- 
ness. Let P be the property consisting of all behaviors containing infinitely 
many nonstuttering steps. With the definitions used here, P equals its //- 
realizable part. With the definition in [ALW89], the "fairly //-realizable" 
part of P would consist of only those behaviors containing infinitely many 
nonstuttering // steps. (This example demonstrates that a conjecture of 
Broy et al. [BDDW91] is false.) 

System stuttering steps represent ones in which the system changes only 
its internal state, so allowing a //-strategy to depend upon //-stuttering steps 
is equivalent to allowing the strategy to depend upon the system's internal 
state. More precisely, suppose that the state includes some "variable" that 
the property P does not depend on. Then adding the requirement that a 
//-strategy be invariant under stuttering does not change the definition of 
TZfj,(P). (This can be proved by showing that if a //-strategy / is invariant 
under -i//-stuttering, then one can modify / to obtain an "equivalent" strat- 
egy /' that is invariant under all stuttering; /' takes a step that changes 
only the extra variable whenever / takes a stuttering step.) By allowing a 
strategy to depend upon stuttering steps, we obviate the need to rely upon 
internal state for our definitions. 

3.2.3 Some Basic Propositions 

We now state some results about realizability. The first asserts that IZ^ is 
monotonic. 

Proposition 3 For any properties P and Q and any agent set //, if P C Q 
then K^P) C K^Q). 

The next proposition asserts that the realizable part of a property is 
receptive. 
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Proposition 4 For any property P and agent set fj,, IZ^IZ^P)) = IZ^P). 

The next result provides a useful representation of the realizable part of 
a property. 

Proposition 5 For any property P and agent set fj,, IZ^P) = IZ^P) fl P. 

The next result indicates that "constrains at most" and receptiveness 
are essentially the same for safety properties. 

Proposition 6 For any nonempty safety property P and any agent set fj,, 
property P constrains at most /i iff P is /^-receptive. 

Proposition 4 asserts that the //-realizable part IZ^P) of a property P 
is //-receptive. Hence, Proposition 6 implies that, if IZ^P) is a nonempty 
safety property, then it constrains at most fj,. The following result generalizes 
this to the case when IZ^P) is not a safety property. 

Proposition 7 For any agent set fj,, if P is a /^-realizable property then 
IZ^P) constrains at most /i. 

In general, the realizable part of a property is not expressible in terms 
of simpler operations on properties. Proposition 6 describes a simple case 
in which IZ^P) equals P. Since true =>■ Q and true -t> Q both equal Q, the 
following proposition generalizes the "only if" part of Proposition 6. 

Proposition 8 Let /i be an agent set, I a state predicate, P a safety prop- 
erty that constrains at most -ifj,, and Q a safety property that constrains at 
most fj,. Then TZ^I fl P =>■ Q) equals I fl P -t> Q . 

4 The Form of a Specification 

Our Composition Principle applies only to specifications of the form E =>■ M , 
where E is a safety property. In this section, we explain why specifications 
can and should be written in this way. Before considering general spec- 
ifications, we first examine a particular class of specifications — programs. 
A program is a specification that is sufficiently detailed so a system that 
satisfies it can be generated automatically. Typically, a system satisfying 
the specification is generated by compiling the program and executing the 
resulting code on a computer. 
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4.1 The Form of a Complete Program 

We start by considering complete programs. In formal models of complete 
programs, there are no environment actions, only system actions. Input 
occurs through initial values of variables or by executing a nondeterministic 
input statement in the program. (An input statement is nondeterministic 
because the program text and the execution of the program up to that 
point do not determine the input value.) Thus, a complete program is a 
specification in which every agent in A is a system agent. Since we want 
the specification to be A-abstract, it does not matter what agents perform 
the steps of a behavior, so we can ignore the agents and consider a behavior 
to be a sequence of states. 

4.1.1 The Parts of a Complete Program 

A complete program is defined by four things: 

set of states A state provides an "instantaneous picture" of the execution 
status of the program. It is determined by such things as the values of 
variables, the loci of control of processes, and the messages in transit — 
the details depending upon the programming language. 

initial predicate The initial predicate / is a state predicate that specifies 
the set of valid starting states of the program. Recall that the predi- 
cate / (a set of states) is interpreted as the property consisting of all 
behaviors whose starting state is in /. 

next-state relation The next-state relation Af is a set of pairs of states 
that describes the state transitions allowed by the program, where 
(s,t) G Af iff executing one step of the program starting in state s 
can produce the new state /. It is described explicitly by the program 
text and the assumptions about what actions are considered to be 
atomic. The next-state relation Af determines a property TA(Af), 
defined by a £ TA(Af) iff Sj-(ct) = s 8 _|_i((t) or (sj-(ct), Sj-+i(ct)) G Af, for 
all i > 0. In other words, TA(Af ) is the set of all behaviors in which 
each nonstuttering step is allowed by the next-state relation Af. 

progress property The next-state relation specifies what state changes 
may occur, but it does not require that any state changes actually do 
occur. The progress property L specifies what must occur. A common 
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type of progress property is one asserting that if some state change is 
allowed by the next-state relation, then some state change must occur. 

Formally, the program is the property / fl TA{Af) fl L. Note that / and 
TA(Af), and hence If] TA(Af), are safety properties. 

All assertional methods of reasoning about concurrent programs are 
based on a description of the program in terms of a set of states, an ini- 
tial predicate, and a next-state relation. By now, these methods should be 
familiar enough that there is no need for us to discuss those parts of the 
program. Progress properties are less well understood and merit further 
consideration. 

4.1.2 The Progress Property 

Assertional methods that deal with liveness properties need some way of 
specifying the program's progress property. The requirement that the pro- 
gram be executable in practice constrains the type of progress property that 
can be allowed. The initial state and the computer instructions executed by a 
program are derived from the program's code, which specifies the next-state 
relation. The progress property should constrain the eventual scheduling of 
instructions, but not which instructions are executed. For the program to 
be executable in practice, the state transitions that it may perform must be 
determined by the initial state and the next-state relation alone; they must 
not be constrained by the progress property. 

As an example, consider the simple next-state relation pictured in Fig- 
ure 2, where the program state consists of the value of the single variable 
x. Assume that the initial predicate asserts that x equals 0. The property 
asserting that x = 3 holds at some time during execution, usually written 
<y(x = 3), is a liveness property. However, for the program to satisfy this 
property, it must not make the state transition from x = 0 to x = 1 allowed 
by the next-state relation. Thus, if 0(a; = 3) were the program's progress 
property, a compiler would have to deduce that the transition from x = 0 
to x = 1, which is permitted by the next-state relation, must not occur. 

The condition that the progress property L does not further constrain the 
initial state or the next-state relation is expressed formally by the following 
conditions, which are all equivalent. 

• For every finite behavior prefix p with p in / fl TA(Af), there exists a 
behavior a in / fl TA{Af ) fl L such that p is a prefix of a. 

• / n TA{N) = I n TA{N) n L 
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Figure 2: A simple next-state relation. 



• HQ is any safety property, then If\TA{M)f\L C Q iff InTA(Af) C Q. 

The last condition asserts that the safety properties satisfied by the pro- 
gram are completely determined by the initial predicate and the next-state 
relation; in other words, the progress property does not add any safety prop- 
erties. 

We define a pair (M, P) of properties to be machine-closed iff M = P. 
(The term "machine-closed" was introduced in [AL91].) Machine closure 
of (M, P) means that P does not imply any safety properties not implied 
by M. So, if L is a progress property, we expect the pair (/ fl TA(Af), I fl 
TA(Af) fl L) to be machine- closed. When this condition is satisfied, we 
sometimes informally write that the progress property L or the program is 
machine- closed. To our knowledge, all the progress assumptions that have 
been proposed for programs are machine- closed. 

A program's progress property is usually called a fairness condition. 
There have been few attempts to give a general definition of fairness. Manna 
and Pnueli [MP87] define a class of "fairness" properties that is independent 
of any next-state relation, but they provide no justification for their termi- 
nology. Apt, Francez, and Katz [AFK88] discuss three "fairness criteria"; 
one of them is machine- closure, which they call "feasibility". 

Most of the progress properties that have been proposed can be stated 
as fairness conditions on program actions — for example, the condition that 
certain state transitions cannot be enabled forever without occurring. These 
progress properties are not all generally considered to be fairness properties. 
In particular, the property asserting that the entire program never stops 
if some step can be executed is machine- closed, but multiprocess programs 
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satisfying only this progress assumption are generally called unfair. We 
believe that machine- closure provides the proper definition of a progress 
property, and that any distinction between fairness properties and progress 
properties is probably language-dependent and not fundamental. 

4.2 The Form of a Partial Program 

A partial program is part of a larger program. It may be a single process 
in a CSP program, or a single assignment statement in a Pascal program. 
It should be possible to implement the partial program independently of 
the rest of the program, which constitutes its environment. Such an im- 
plementation might be very inefficient — as, for example, if each assignment 
statement of a Pascal program were compiled independently without know- 
ing the types of the variables — but it should be possible. Actions may be 
taken either by the partial program or by the rest of the program, which 
constitutes the partial program's environment. 

4.2.1 The Parts of a Partial Program 

The following modifications of the parts that define a program are needed 
to handle partial programs. 

set of states The complete state cannot be determined from the text of 
the partial program. For example, there is no way of knowing what 
variables are introduced in other parts of the complete program. There 
are two ways to define the set of states S for a partial program. 

• S is the set of states defined by the complete program. Since the 
complete program is not known, S is not known, so the meaning 
of the partial program depends upon a fixed but unknown set of 
states. 

• S includes all possible program variables and other state compo- 
nents. The meaning of the partial program is defined in terms of 
a known set of states, but it is a very "large" set of states, since 
it must accommodate all possible complete programs. 

Both approaches lead to equivalent formalisms. Here, we find the first 
assumption most convenient, and we take S to be the unknown set 
of states of the larger program. The partial program modifies only 
those components of the state explicitly mentioned; the environment 
can modify any part of the state. 
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agent set We use agents to distinguish the actions performed by the partial 
program from the ones performed by its environment. Program steps 
are taken by agents in p, environment steps by agents in -i/i. We 
don't care which agents in p or in -i/i take the steps, so it suffices to 
distinguish only p steps and ->p steps. 

initial predicate In our "realization game", the environment chooses the 
initial state. The initial condition must therefore become part of the 
environment specification, so it disappears from the program. 

next-state relation The next-state relation Af now constrains only the 
state transitions performed by the program, not the ones performed 
by the environment. It describes the property TA^Af), which is de- 
fined by a £ TA^{Af) iff a 8 '_|_i(<7) £ p implies Sj-(ct) = s 8 _|_i((t) or 
(sj-(ct), s 8 _|_i((t)) £ Af, for all i > 0. The next-state relation must be de- 
fined in such a way that any part of the state not explicitly mentioned 
is left unchanged. 

This leaves the question of what is the appropriate modification to the 
machine- closure condition for progress properties. Recall that machine- 
closure was derived from the requirement that a complete program be imple- 
mentable in practice. Ignoring the initial predicate, machine- closure asserts 
that any finite execution satisfying the next-state relation can be completed 
to an execution satisfying the next-state relation and the progress property. 
We similarly require that the partial program be implementable in practice, 
except now we have the additional requirement that it be implementable 
without knowing its environment. In other words, the implementation must 
work regardless of what the environment does. We therefore require that 
given any finite behavior prefix in which the program's actions satisfy the 
next-state relation, there is a strategy that the program can play from that 
point on and "win" — that is, produce a behavior satisfying the next-state 
relation and the progress property. 

The formal expression of this condition is statement (a) in the following 
proposition, when TA^iAf) is substituted for M. Statement (b) is a useful 
variant of (a), and (c) is a reformulation of (a) in terms of topology and 
receptiveness. 

Proposition 9 For any agent set p, safety property M , and arbitrary prop- 
erty L, the following three conditions are equivalent: 

(a) For every finite behavior p such that p £ M , there exist a p- strategy f 
with Ofj,(f) C M fl L and a behavior a £ O^i f) with p a prefix of a. 
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(b) For every finite behavior p such that p £ M, there exist a p,- strategy 
f with Ofj,(f) C M fl L and a behavior a £ O^if) with p stuttering- 
equivalent to a prefix of a. 

(c) The pair (M, M fl L) is machine-closed, and M Pi L is p-receptive. 

We define a pair of properties (M, P) to be p-machine-realizable iff it is 
machine- closed and P is //-receptive. The generalization to partial pro- 
grams of the machine- closure condition on a progress property L is that 
the pair (TA^iAf), TA^iAf) fl L) be //-machine-realizable, where Af is the 
program's next-state relation. In this case, we say informally that L is 
machine-realizable. 

To illustrate the difference between progress properties of partial and 
complete programs, let Lj, be the property asserting that if some program 
action A is infinitely often enabled, then that action must occur infinitely 
often. More formally, let A be a subset of the next-state relation Af, define 
A to be enabled in a state s iff there exists a state / with (s,t) £ A, and 
define Lj, to be the property such that a £ Lj, iff either A is enabled in 
state Sj-(ct) for only finitely many values of i, or else (sj-(ct), s 8 _|_i((t)) £ A for 
infinitely many values of i. The property Lj, is the usual strong fairness 
requirement for action A. Strong fairness is a reasonable progress property 
for a complete program, since it is machine- closed. 

Now, suppose that Lj, is the progress property of a partial program. 
When playing the "realization game", the environment can play infinitely 
many moves in which it adds two states — one in which A is enabled followed 
by one in which it is not enabled. (Such environment moves are "legal" 
because the partial program's safety property TA^iAf) allows any steps by 
the environment.) The program never has a chance to take an A step because 
it never gets to play a move when A is enabled. Thus, the resulting outcome 
does not satisfy the property L^, so Lj, is not a machine-realizable progress 
property. In fact, it is not even realizable. This losing outcome corresponds 
to a physical situation in which the environment changes the state so fast 
that A never stays enabled long enough for the program to react in time to 
perform an A action. 

To obtain a machine-realizable progress property, let Af 1 be a next-state 
relation asserting that A is never disabled. Formally, (s,t) £ Af' iff A is 
not enabled in s or is enabled in /. The property TA^^iAf') asserts that 
the environment never disables A. The progress property TA^^iAf') =>■ Lj, 
is machine-realizable. In the realization game, the environment loses if it 
ever disables A, since doing so ensures that TA^^iAf') will be false, making 
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TA^^iAf 1 ) =>■ Lj, true. The program can therefore always win the game by 
taking an A step whenever it gets to move with A enabled. 

4.2.2 Hiding the Internal State 

Another important concept introduced when considering partial programs 
is hiding. Variables and other state components that are local to the partial 
program should be hidden — meaning that they are modified only by the 
program and do not conflict with similarly-named components in the envi- 
ronment. In our approach, hiding is effected by existential quantification 
over state components. 

Existential Quantification Existential quantification is defined formally 
as follows. Let X denote a set of values, let rig and Fix denote the projection 
functions from S X X to S and X, respectively, and let x be an abbreviation 
for fix- We extend Fig to a mapping from S X X-behaviors to S-behaviors by 
letting ng((r) be the behavior such that, a 8 '(ng(<7)) = a 8 (<7) and s^IIg^)) = 
ng(sj-((r)) for all i. For any S X X-property P, we define 3x : P to be the 
S-property such that a is in 3x : P iff there exists an S X X-behavior a' in 
P with II S (V) ~ a. 

Intuitively, S X X is a set of states in which S is the externally observable 
component and X is the component internal to the program. The property 
3x : P is obtained from P by hiding the x-component. We use the notation 
"3x" for this hiding operator because it obeys the logical rules of existential 
quantification when properties are expressed as formulas in an appropriate 
logic [Lam90]. As usual, 3 binds more weakly than other operators. 

Hiding with Existential Quantification Let Af be the next-state rela- 
tion of the program and L its progress property. When there is an internal 
state component, Af is a set of pairs of elements of S X X — in other words, 
a subset of (S X X) X (S X X) — and L is an S X X-property. Formally, 
the program is the property 3x : P fl TA^iAf) fl L, where P is the S X X- 
property asserting that the x-component of the state has the correct initial 
value and is not changed by the environment. The correct initial value of the 
state's x-component is specified by an initial SxX-predicate J x - (Remember 
that the initial value of the S-component is described by the environment 
specification.) The assertion that the environment leaves the x-component 
unchanged is Tyl-, |U (ZY X ), where L( x is the next-state relation consisting of all 
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pairs ((s,x), (s',x')) such that x = x' . The program is then the property 

3x : / x n TA^(U X ) n TA^Af) n L (2) 

Since we want the program to be machine-realizable, it is natural to ask 
under what conditions the specification (2) is machine-realizable. Machine- 
realizability is defined for a pair of properties (M, P), where M is the pro- 
gram's safety property and P is the complete specification, which in this 
case equals (2). We expect the safety property M to be 

3x : J x n TA^(U X ) n TA^Af) (3) 

This is not always a safety property, but it turns out to be a safety property 
for ordinary specifications written in a "reasonable" way — meaning that the 
next-state relation is not using the internal state component x to encode 
progress properties. For the precise condition under which (3) is a safety 
property, see Proposition 2 of [AL91]. A sufficient condition for (M, P) to 
be //-machine-realizable is given by the following result. 

Proposition 10 Let fj, be an agent set, let x be the projection function from 
S X X to X, and let J x be an S X 'K-predicate, Af a next-state relation on 
S X X, and L an S X 'K-property. Let M equal (3) and let P equal (2). 
Assume that: 

(a) For all s £ S there exists x £ X such that (s,x) £ I x - 

(b) The pair (TA^Af), TA^Af) n (i x n TA^(H X ) L)) is /^-machine- 
realizable. 

(c) M is a safety property. 

Then (M, P) is /^-machine-realizable. 

This proposition remains valid if, in hypothesis (b), TA^iAf) is replaced 
by (/ x nT^(W x )) -> TA^AT), which equals Tl^U^ TA^N)) by Propo- 
sition 8. 

4.3 The Normal Form of a Specification 

The specification of a system is written as a property of the form E =>■ M, 
asserting that the system guarantees property M under the assumption 
that the environment satisfies property E. In the transition-axiom ap- 
proach [Lam83a, Lam89], E and M are written as abstract partial programs, 
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using next-state relations and progress properties. Since the environment 
makes the first move in our realization game, the initial predicate must be 
included with E; the abstract program M has no initial predicate — except 
on its internal, hidden state. (Intuitively, we are assuming that the system 
has control of the initial values only of its internal state, not of the externally 
visible state.) We therefore write our specification in the canonical form 

IC\E S C\E L Ms n Ml (4) 

where / is an initial predicate, Es is a safety property constraining only -i/i, 
and Ms is a safety property constraining only fj,. 

If the system property M were written as an executable program, then 
we would expect the pair (Ms, MsPiMl) to be machine-realizable. However, 
M is an abstract program that is meant to specify what the system is allowed 
to do, not how it does it. Requiring the abstract program to be executable 
in practice — that is, capable of being transformed into executable code by a 
real compiler — is too restrictive, leading to overly complex and overly restric- 
tive specifications. It is not clear whether requiring the abstract program to 
be executable in principle — that is, to be machine-realizable — is too restric- 
tive. If (Ms, Ms fl Ml) is not machine-realizable, then it allows behaviors 
that cannot be achieved in practice. Most of the specifications we have 
seen are machine-realizable. But allowing unachievable behaviors causes no 
harm, as long as the specification is realizable. Allowing some unachievable 
behaviors may yield a simpler specification. For example, the simplicity of 
the specification of a serializable database in [Lam89] results from its not 
being machine- closed, hence not machine-realizable. We have too little ex- 
perience writing specifications to know if this example is an anomaly or if 
others will arise. We therefore do not assume machine-realizability of the 
pair (M s , M s n M L ). 

The situation is different for the environment property E. Progress as- 
sumptions about the environment seem to be unusual. A specification usu- 
ally requires that the system eventually do something after the environment 
has taken some action, but seldom does it assume that the environment 
must take that action. Thus, El should generally be identically true, so the 
pair (Es,Es) will be -i //-machine-realizable if Es constrains at most -i/i. 
In a transition-axiom specification, Es has the form TA^^Af), which does 
constrain at most -i/i. 

Even if a specification does include a nontrivial progress assumption El 
about the environment, we believe that it may be reasonable to require 
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the pair (Es, Es H El) to be -i^-machine-realizable. The intent of the 
specification E =>■ M is that the system should win the realization game by 
making M true, not by making E false. The machine-realizability condition 
means that so long as the environment maintains Es, it can ensure that 
Es H El will be true; hence, the system can never win by forcing E to be 
false. A specification in which (Es, Es H El) is not -i //-machine-realizable 
seems likely to be incorrect, in the sense that it does not capture the intent 
of its author. 

If the environment assumption is machine-realizable, then there is no 
need for an environment progress assumption because the property El can 
be incorporated into the system's progress property. This is stated formally 
by the following theorem. 

Theorem 1 If I is a state predicate, (Es, EsPiEl) is ^/^-machine-realizable, 
Ms is a safety property, and Ml is any property, then 

IDEsDEl => M s nM L 

and 

IHEs M s n (E L M L ) 

are /2-equirealizable. 

The abstract programs describing the system and the environment may 
contain hidden, internal state components, in which case the specification 
involves existential quantification. We now consider how Theorem 1 can be 
applied in the presence of quantification. 

Since environment specifications tend to be simple, we suspect that vari- 
ables internal to the environment can usually be confined to Es, allowing 
E to be written as (3x : Es) H El, so the theorem can be applied. In 
any case, the following approach can always be used to eliminate existen- 
tial quantification from E. The laws of ordinary predicate logic imply that, 
if x is not free in M or P, then P =>■ ((3x : E) =>■ M) is equivalent to 
P =>. \/x : (E =>• M), which in turn is valid iff P =>• (E =>• M) is valid. 
Similar reasoning about quantification over state components allows us to 
replace (3x : E) =>■ M by E =>■ M , if we require that no implementation P 
use x. (Implementation is discussed in Section 5.2.) 

Existential quantification in the system's description M is handled by 
the following generalization of Theorem 1, in which the S-predicate El is 
identified with the S X X-predicate Tig 1 (El) ■ 
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Corollary Let fj, be any agent set, let x be the projection function from 
S X X to X, let I be an S-predicate, let (Es, Es H El) be a ^/2-machine- 
realizable pair of S -properties, and let Ms and Ml be S X ^.-properties such 
that 3x : Ms is a safety property. Then 

IDEsDEl => 3x : M s n M L 

and 

If]E s 3x : M s n (E L M L ) 

are /2-equirealizable. 

4.4 An Overly Normal Form 

Theorem 1 permits us to take a specification of the form (4) and move the 
environment's progress property to the right of the implication. But, can 
we always write the specification in the form (4) in the first place? The 
answer is that not only can we, but we don't even need the left-hand side 
of the implication. Propositions 5 and 7 imply that the realizable part 
of any realizable property P can be written as Ms H Ml, where Ms is a 
safety property that constrains only fj,. (Just take Ms to be IZ^P) and 
Ml to be P.) In fact, we can choose the pair (Ms, Ms H Ml) to be fj,- 
machine-realizable. (The ^-machine-realizability of (IZ^P), P) follows from 
Propositions 4 and 5.) 

We can go still further in finding a representation of the realizable part 
of a property. It can be shown that any safety property that constrains at 
most fj, can be written in the form 

3x : / x n TA^(U X ) n TA^Af) 

for some initial predicate J x satisfying hypothesis (a) of Proposition 10 
and some next-state relation Af . (This result is a simple generalization 
of Proposition 3 of [AL91].) Thus, the //-realizable part of any property 
P can be written in the form 3x : Ms H Ml, where Ms has the form 
ix n TA^^Ux) n TAfj,(Af) and the pair (3x : M s , 3x : M s n M L ) is fi- 
machine-realizable. 

The ability to write a specification in this form seems to imply that 
there is no need to write an explicit assumption about the environment. 
Why write a specification of the form E =>■ M when we can simply write 
Ml One answer is that separating the environment assumption E from the 
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guarantee M allows us to take advantage of the Composition Principle. An- 
other answer lies in the practical matter of what the specification looks like. 
If we eliminate the explicit environment assumption, then that assumption 
appears implicitly in the property M describing the system. Instead of M 
describing only the behavior of the system when the environment behaves 
correctly, M must also allow arbitrary behavior when the environment be- 
haves incorrectly. Eliminating E makes M too complicated, and it is not a 
practical alternative to writing specifications in the form E =>■ M . 

To be useful, a specification must be understandable. Theorems that 
assert the existence of a specification in a certain form are of no practical 
interest because they prove only that the specification exists, not that it is 
understandable. On the other hand, a result like Theorem 1 that provides 
a simple way to rewrite an existing specification can be of practical interest 
because the rewritten specification will be understandable if the original 
one is. 

Although it seems impractical in general to write E =>■ M without an 
explicit environment assumption, it is practical if M is a safety property. 
In this case, Proposition 8 shows that E =>■ M is equivalent to the system 
guarantee E -t> M . In fact, this is precisely the form of specification that 
has been used to develop composition principles for safety properties [MC81, 
Pnu84]. 

5 Composing Specifications 

Our main result is a formal statement of the Composition Principle stated 
informally in the introduction. Before stating this result, we must explain 
how specifications are composed and what it means for one specification 
to implement another. For convenience, we restrict our attention to the 
composition of two systems. The generalization to an arbitrary number of 
systems is straightforward, and is described after the statement of our main 
theorem. 

5.1 The Composition of Specifications 

Consider two systems II \ and II 2, and their composition, shown schemati- 
cally in Figure 3. The "wires" inp, mid, and out denote state components, 
and and fj,2 are the systems' agent sets. If Si and S2 are the specifi- 
cations of the two systems, what is the specification of their composition? 
Each Si is the property consisting of all histories of the universe (behaviors) 
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Figure 3: The composition of two systems. 



in which component i functions correctly. A history of the universe is one in 
which both components function correctly iff it is in both Si and 5*2. Thus, 
the specification of the composition of the two systems is simply Si fl 5*2. 
This simple semantics of composition as intersection rests on the two basic 
assumptions, discussed below, that Iii and II2 refer to the same states, 
and that fj,i and ^2 are disjoint. 

5.1.1 Assumptions about the States 

In composing the two systems Iii and II2 of Figure 3, we combined the two 
"wires" labeled mid into a single "wire" . When two specifications are written 
as logical formulas, a state-component variable like mid that appears in 
both formulas is considered to represent the same state component. In some 
situations, this use of names to identify state components in the two systems 
is natural — for example, if the "systems" are the assignment statements 
mid := inp + 1 and out := 2 * mid. In other situations, there may be no 
connection between the names used in the two specifications, so renaming 
is necessary. For example, if the systems are circuits, iTi's wire labeled 
mid might have been labeled out, and ZZVs wire labeled mid might have 
been labeled inp. In that case, the specification of the composite system in 
Figure 3 would be Si\™* d fl 5*2 1™^' where Si\™* d is obtained by substituting 
mid for out in the formula for Si. 

It is this kind of renaming that allows us to make do with the sin- 
gle operator fl for composing properties instead of having a multitude of 
different composition operators. For example, two programming-language 
statements can be combined by parallel composition or by sequential com- 
position (";")• Simple intersection of their specifications provides parallel 
composition; sequential composition is obtained by first renaming compo- 
nents of their control states in such a way that control is at the end of one 
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statement iff it is at the beginning of the other, then taking the intersection 
of the resulting specifications. 

Even with the proper choice of state-component names, we can write 
the composition as the intersection Si fl S2 only if Si and S2 are both S- 
properties — that is, only if they have the same set of states S. But looking at 
the two systems separately, we would not expect out to be a state component 
of IIi or inp t° be a state component of II \- The two specifications might 
have to be modified to use the same set of states. This would be done by 
expanding Si% state to include an out component, modifying Si to prohibit 
Hi agents from changing out, and allowing ->hi agents to change out freely — 
making the analogous change to S2 too. 

The simplicity of representing all forms of composition as intersection 
is therefore somewhat illusory. We need renaming and state expansion as 
well. (By adopting the approach mentioned in Section 4.2.1 of having a 
single universal set of states, state expansion can be avoided at the expense 
of additional renaming.) Moreover, we might want some state components 
of the composed system to be hidden — for example, the component mid in 
Figure 3. This requires the use of existential quantification, as described 
in Section 4.2.2. Still, we feel that the ability to reduce composition to the 
well-understood operation of intersection — or, in the corresponding logical 
view, to conjunction — is a significant benefit of our approach. 

5.1.2 Assumptions about the Agents 

In drawing Figure 3, we have made a subtle assumption about the agent 
sets Hi an( i A*2- Suppose we want to compose two copies of the II \ without 
renaming, so the inp state components of the two copies would be iden- 
tified (the two inp "wires" would be connected), as would the mid state 
components. The discussion so far might lead one to write the resulting 
specification as Si fl Si. But this is obviously wrong, since Si fl Si equals 
Si. The simple intersection of Si with itself, without renaming, yields a 
specification of system II 1, not of the composition of two separate copies of 

A property S specifies what it means for a particular agent set h to 
perform correctly. Making a separate copy of S means replacing /* by a 
different agent set. Let S\£. denote the property obtained by substituting 
Hi for h m the formula describing S. The property S^ fl S\fi 2 specifies a 
system in which the agent sets Hi an d each behave like the agent set h m 
the specification S — in other words, a system in which each Hi 1S a separate 
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copy of the original system fj,. 

By drawing separate, nonoverlapping boxes for IIi and II2 in Figure 3, 
we have tacitly assumed that their agent sets fj,i and ^2 are disjoint. As we 
have seen in the extreme case when Si equals S2, the intersection SidS? does 
not represent the expected composition of separate systems unless fj,i fl ^2 
is the empty set of agents. 

5.2 Implementing One Specification by Another 
5.2.1 Definition 

A system's specification S describes the set of all behaviors in which the 
system is considered to behave correctly. For a system specified by S' to 
satisfy specification S, every behavior it allows must be in S. Thus, the 
system specified by S' satisfies the specification S if S' C S . Eliminating the 
phrase "the system specified by", we can say that specification S' implements 
S if S' c S. 

While sufficient, the condition S 1 C S is stronger than strictly necessary 
for S' to implement S . We view S' as a prescription for building an im- 
plementation, and we say that S 1 implements S iff every real system built 
according to the specification S' satisfies S . It is not necessary for every 
behavior in S 1 to be in S , just for every behavior that can be generated by 
a real implementation of S' to be in S . The set of behaviors that can be 
generated by a real implementation of S 1 is included in the realizable part 
of S', so we define S 1 implements S to mean IZ^S 1 ) C S . 

We expect "implements" to be transitive, meaning that if S" implements 
S', and S' implements S , then S" implements S . Proving transitivity re- 
quires showing that K^S") C S' and K^S') C S imply K^S") C S. This 
implication is valid because, by Propositions 3 and 4, IZ^S") C S' implies 

n^s") c n^s 1 ). 

We now return to the composition of systems. Let Si and S2 be specifica- 
tions of systems with agent sets fj,i and ^2, respectively. Any real implemen- 
tation that satisfies Si will satisfy IZ^Si), so combining an implementation 
of 5i with an implementation of S2 produces a system whose set of behaviors 
is contained in IZ^lSi) fl TZ l _ t2 (S2)- Thus, to prove that the composition of 
a system specified by Si and one specified by S2 implements a specification 
S , it suffices to prove 

n^(Si)nn^(S2) c s (5) 
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If (5) holds, then the following proposition allows us to infer the stronger 
result TZ^iSx) n TZ^ 2 (S 2 ) C TZ^u^iS). 

Proposition 11 For any disjoint pair of agent sets ^i and ^2, and any 

properties P\ and Pi, the property TZ^Pi) fl Tl^Pi) is ii\ U ^-receptive. 

Proposition 11 implies that TZ^Si) fl 7^ (62) C IZ^u^Si ^ ^2)- 
This in turn implies that condition (5) is weaker than Tl^u^iSi H 62) C S, 
which is what we would have to prove to show that Si fl S2 implements S . 

The hypothesis that fj,i and [i^ are disjoint is necessary in Proposition 11. 
In particular, the conclusion does not hold if [j,i = [j,?, because the intersec- 
tion of two //-receptive properties is not necessarily //-receptive. 

5.2.2 Proving That One Specification Implements Another 

We now comment briefly on how one can prove in practice that a specifi- 
cation S' of the form E 1 =>■ M' implements a specification S of the form 
E =>■ M. If S' is not //-receptive (equal to its realizable part), then deriv- 
ing an explicit formula for IZ^S') is likely to be very difficult. (If it were 
easy, then we would have written IZ^S 1 ) instead of S 1 in the first place.) 
Therefore, unless we can apply some general theorem — like Theorem 2 of 
Section 5.3 below — to prove that S 1 implements S , we will have to prove 
that S' C S. 

Specification S 1 has environment assumption E', while S has environ- 
ment assumption E. If the system specified by S' is to satisfy the speci- 
fication S, it must do so assuming only that the environment satisfies E. 
Therefore, E' must be equal to or weaker than E — that is, we must have 
E C E'. Since E C E' implies (E' M') C (E M'), if the implementa- 
tion satisfies E' =>■ M' then it also satisfies E =>■ M'. Therefore, it suffices 
to prove (E M) C (E M'). 

By elementary set theory, (E =>■ M') C (E =>■ M) is equivalent to E fl 
M' C i^flM. 1 Whereas E =^ M consists of all behaviors in which the system 
behaves correctly in the face of arbitrary environment behavior, E fl M 
consists of only those behaviors in which both the environment and system 
behave correctly. In the transition-axiom approach, E is an abstract partial 
program describing the environment and M is an abstract partial program 
describing the system, so E fl M defines the complete program obtained 
by composing these two partial programs. Similarly, E fl M' describes a 

J This equivalence was pointed out to us by Amir Pnueli. 
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complete program. Therefore, proving E fl M' C E fl M requires proving 
that one complete program implements another. 

Proving that one program implements another is a problem that has been 
addressed extensively in earlier work. The basic transition- axiom approach 
is described in [Lam89], and a formal basis along with a completeness result 
can be found in [AL91]. We briefly sketch this approach. 

The specification E fl M can be written in the form 

3x : I n TA^(M E ) n TA^Nm) n L 

where / is an initial predicate, Me an( i Mm are next-state relations describ- 
ing the environment and system actions, respectively, and L is a progress 
property — all with set of states S X X. (Here, X consists of the system's 
internal state components; as we observed in Section 4.3, we can make the 
environment's internal variables visible.) We can write / as a logical formula 
on the state variables, Me an( i Mm as relations between old and new state 
values, and L as a formula in some temporal logic. Similarly, E fl M' can be 
written in the form 3y : I' r\TA-, fl (M E )r\TA fl (M M )r\L', with a set of inter- 
nal states Y. Moreover, Me an( i M' E will be essentially the same relations, 
depending only on the externally visible state (including the environment's 
internal state components). To prove that E fl M' implements E fl M, we 
construct a refinement mapping f from S X Y to S X X that satisfies the 
following four conditions. 

1. / preserves the ^-component. In other words, for all (s,y) G S X Y, 
there is some x £ X such that f(s,y) = (s,x). 

In practice, a set of states is defined by a collection of state com- 
ponents. Let ei,...,e m denote the components defining S, so an 
element s of S is an ra- tuple (ei(s), . . . , e m (s)); let x\,...,x n and 
yi, . . .,y p denote the similar components defining X and Y. To spec- 
ify the refinement mapping /, one must define functions fi,...,f n 
such that f(s,y) = (s, (/i(s, y), . . . , f n (s, y) j). The f 3 can be de- 
scribed by formulas having the components e 4 - and y^ as free variables. 
For example, the formula e\ + 4^/2 denotes the function g such that 
g(s,y) = ei(s) + 4y 2 (y). 

2. / takes initial states to initial states. The formal condition is /(/') C /. 

To explain what this condition means in practice, we first make the 
following definition. For any formula H with free variables ei, . . . , e m 
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and x\, . . .,x n , define f*(H) to be the formula obtained by substitut- 
ing fj for Xj, for j = l,...,n. This defines f*(H) to be a formula 
with free variables ei, . . . , e m and yi, . . . , y p . The semantic condition 
f(I') C / is expressed in the logical framework as |= I' =>■ /*(/), which 
is a formula "about" the implementation. In most cases, this condition 
is easy to check. 

3. / maps N' M steps into Mm steps or stuttering steps. Formally, we 
require that if (s,y) is any state reachable from a state in I' by 
a sequence of Af' E and N' M steps, then ((s,y), (t,z)) G N' M implies 
(f(s, y), f(t, z)) G M M or f(s, y) = f(t, z). 

In practice, verifying this condition involves finding an S X Y-predicate 
P such that KP and P is left invariant by Af' E and N' M , meaning that 
(s,y) G P and ((s,y), (t,z)) G N' E UjVif imply (t,z) G P. One then 
proves old.P /\Af' M =>■ /*(A/mVI), where old.P is the formula asserting 
that P is true in the first state of a step, and I is the identity relation. 
Finding an invariant P and proving its invariance is exactly what one 
does in a proof by the Owicki-Gries method [LS84b, OG76], so the 
method for proving this condition generalizes the standard method for 
proving invariance properties of concurrent programs. 

4. / maps behaviors that satisfy I' fl TA^i_ t (N' E ) fl TA^N'm) fl V into 
behaviors that satisfy L. The formal condition is /(/' fl TA^^AT^) fl 

TA^X'm) n V) c l. 

Translated into the logical framework, the formula to be verified be- 
comes /' A TA^M'e) A TA^N'm) A V => f*(L). This formula asserts 
that the abstract program described by I' ATA^^AT^) ATA^N'm) AL' 
satisfies the property f*(L), which is generally a liveness property. 
Thus, verification of this condition is tantamount to proving that a pro- 
gram satisfies a liveness property, which can be done with the method 
of [OL82] when L and V are expressed as temporal logic formulas. 

Condition 3 is weaker in two ways than the corresponding condition R3 
in the definition of a refinement mapping in [AL91]. First, condition 3 
applies only to fj, steps, while condition R3 applies to all steps. The weaker 
condition is sufficient because -i/i steps, which are taken by the environment, 
are essentially the same in both E fl M' and E fl M. (The formalism of 
[AL91] did not include agents and made no distinction between system and 
environment steps.) Second, condition 3 applies only to steps taken from a 
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reachable state, while R3 applies to steps taken from any state. The weaker 
condition was not needed in [AL91], where history variables were used to 
eliminate unreachable states. 

Theorem 2 of [AL91] asserts the existence of a refinement mapping under 
certain reasonable assumptions about the specifications, providing a com- 
pleteness theorem for the proof method. In general, obtaining the refinement 
mapping may require adding two auxiliary variables to the lower-level spec- 
ification: a history variable used to record past actions, and a prophecy 
variable used to predict future ones. Our limited experience indicates that 
prophecy variables are almost never needed and, with condition 3 rather 
than R3, history variables are seldom needed. Although our experience 
with this method for verifying concurrent systems is limited, we have good 
reason to believe that these mappings can be constructed in practice, be- 
cause refinement mappings are essentially abstraction functions of the kind 
that have been used for years to prove that one data type implements an- 
other [Hoa72]. 

5.3 The Main Theorem 

5.3.1 A Precise Statement of the Composition Principle 

Having discussed composition and implementation, we come to the prob- 
lem of proving that the composition of specifications Si and S2 imple- 
ments a specification S. As we observed in (5) of Section 5.2, we must 
prove IZ^lSi) fl Tl^ 2 {S2) C S. One might attempt to prove this with the 
refinement-mapping method of Section 5.2.2. Since we cannot expect to 
construct the realizable part of a specification, we would have to prove the 
stronger result that Si fl S2 implements S . However, S has the form E =>■ M 
and each Si has the form Ei =>■ M{. The refinement-mapping method proves 
that a specification of the form E =>■ M' implements E =>■ M, but Si fl S2 
is not in this form. A simple refinement mapping won't work; we need the 
Composition Principle. 

We now restate the Composition Principle, for the case n = 2, in terms 
of our formal definitions. The principle's premises are that system II is 
the composition of systems IIi and II2, the specification of II is E =>■ M, 
and the specification of each IIi is Ei =>■ M 4 -. As we have already indi- 
cated, E, Ei, and E% must be safety properties. Also needed are some addi- 
tional assumptions that are natural consequences of our method of writing 
specifications — assumptions that we disregard for now, but add as hypothe- 
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ses of the theorem and discuss afterwards. The hypotheses of the principle 
consist of three conditions: 

1. II guarantees M if each component II i guarantees Mi. 

Formally, this condition asserts that Mi fl Mi C M. It can be sat- 
isfied automatically by taking M to be Mi fl M 2 . We can therefore 
simplify the Composition Principle by eliminating M, and letting the 
conclusion assert that II satisfies E =>■ Mi fl M 2 . To show that II 
satisfies the specification E =>■ M , one proves that E =>■ Mi fl M2 
implements E =>■ M, using the refinement-mapping method described 
in Section 5.2.2. 

2. The environment assumption E{ of each component II i is satisfied if 
the environment of II satisfies E and every II j satisfies Mj . 

This condition asserts that /. .1/, . /., and /. .1/, . /..,. 

two assertions that can be combined as E fl Mi fl M2 C E\ fl E 2 . 

3. Every component II \ guarantees Mi under environment assumption E{. 

This condition simply asserts that each component TI{ satisfies its 
specification E{ =>■ M{. 

The Composition Principle's conclusion asserts that II satisfies the specifi- 
cation E =>■ Mi fl M2. (Remember that we have replaced M by Mi fl M2.) 
When the principle is formulated in terms of specifications rather than sys- 
tems, condition 3 disappears and the conclusion states that the composition 
of the components' specifications implements the system's specification. The 
Composition Principle then becomes the proof rule: 

E n Mi n M 2 c e x n E 2 

Tl^Ex Mi) n 7^ 2 (£ 2 M 2 ) C E M x n M 2 U 

Unfortunately, this rule is not valid. To obtain a valid rule, we must replace 
its hypothesis with a stronger one. 

Rule (6) appears unreasonably circular because it allows one to assume 
Mi in proving the environment assumption E{ that is necessary for compo- 
nent II i to guarantee M;. This suggests that we strengthen the hypothesis 
by disallowing the use of M; in proving Ei, obtaining the rule: 

Ef] M 2 C E u Ef] Mi C E 2 
f_= il L_= 1 (J) 

n^iEx =}► Mi) n n^ 2 (E 2 m 2 ) c e m x n m 2 y ' 
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This rule is indeed valid. However, it would be wrong to attribute the 
invalidity of (6) to simple circularity. Rule (7) is also circular, and it would 
be incorrect without the additional assumptions that we have been ignoring. 
For example, suppose we could take E\ = E2 = M\ = M2 = P for some 
safety property P. Both hypotheses of (7) then reduce to the tautology E Pi 
PC P; and each E{ =>■ M; becomes P =>■ P, an identically true specification 
satisfied by any system. Rule (7) would then yield the ridiculous conclusion 
that the composition of any two systems satisfies the specification E =>■ P. 

Not only is (7) valid despite its circularity, but there is an even stronger 
valid rule that looks just as circular as (6). The way to strengthen (7) is 
suggested by a closer examination of its hypotheses. The first hypothesis 
asserts that E and M2 imply E\. Property E\ is assumed to be a safety 
property, and any safety property that is implied by M2 is implied by Mi- 
We would therefore expect EPM2 to imply E\ only if EPM2 does. Similarly, 
E fl Mi should imply E2 only if E fl M\ does. Proposition 12 shows that 
the following inference rules are indeed valid — again, under certain natural 
assumptions. 

Ef]M 2 CE 1 E n Mi C E 2 
ECiM^CEi E n Mi C E 2 

We can thus replace Mi and M2 by their closures in the hypotheses of (7). 
But we can do even more. In the hypothesis, we can actually assume both 
Mi and M2 when proving E\ and E2. In other words, rule (6) is valid if, 
in the hypothesis, we replace Mi and M2 by Mi and Mi- Thus, one can 
assume M; when proving the assumption E{ that is necessary for JJ{ to 
guarantee M;. 

We now state our precise results. The hypotheses of the proposition and 
the theorem are discussed later. The proposition asserts the first rule of (8); 
the second rule is obtained by the obvious substitutions. In the theorem, we 
have strengthened the proof rule's conclusion by replacing E =>■ Mi fl M2 
with its realizable part. 

Proposition 12 If fJ,\, 1^2, an( I Mi U 1^2 are agent sets and E, E\, and M2 

are properties such that: 

1. E = I n P where 

(a) I is a state predicate. 

(b) P is a safety property that constrains at most ->(fJ,i U ^2)- 

2. Ei is a safety property. 
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3. ^ n fi 2 = 0 

4- M 2 is a fi 2 -abstract property. 
Then the rule of inference 

Ef]M 2 CE 1 
Ef)M 2 ~CE 1 

is sound. 

Theorem 2 If fii, fi 2 , an( I Mi U fi 2 are agent sets and E, E\, E 2 , M\, and 
M 2 are properties such that: 

1. E = I n P, E x = I x n Pi, and E 2 = I 2 C\ P 2 , where 

(a) I, Ii, and I 2 are state predicates. 

(b) P, Pi, and P 2 are safety properties that constrain at most 
— U fi 2 ), ->fj,i, and —1//2 ? respectively. 

2. Mi and M 2 constrain at most fj,i and fi 2 , respectively. 

3. fiiDfi 2 = <J) 

Then the rule of inference 

EnW^nJp, c EiC\E 2 
n^(Ei Mi) n n^ 2 (E 2 m 2 ) c u^ 2 (e m x n m 2 ) 

is sound. 

The theorem handles the composition of two systems. It has an obvious 
generalization to the composition of n systems, for any n > 2. 

Er\M~i~r\...r\M~^ c ^n.-.n^ 
n^(Ei Mi) n . . . n n^ n (E n M n ) 
c n^ lU ... u ^(E ^ Min...nM n ) 

This rule can be derived from the theorem by using Proposition 11. 
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5.3.2 The Hypotheses of the Theorem and Proposition 



We now discuss the theorem's three numbered hypotheses — which imply 
the first three hypotheses of the proposition — and the proposition's fourth 
hypothesis. 

1. It is not hard to show that any safety property E' can be written 
as I' fl P' , where V is a state predicate and P' is a safety property 
that constrains at most is, for some set of agents v. If E 1 specifies 
the environment of a system with agent set /i, then v should equal 
-i//. Therefore, hypothesis 1 will be satisfied if the environment as- 
sumptions E, Ei, and Ei are safety properties. Theorem 1 allows us 
to rewrite a specification so its environment assumption is a safety 
property. 

Observe that a system implemented by components with agent sets 
Hi and fj,2 should have Hi U as its agent set. But, the higher- 
level specification E =>■ M we are ultimately trying to verify may be 
written in terms of an agent set fj, rather than Hi ^ H2- In this case, we 
must perform a renaming operation, substituting Hi U Hi f° r before 
applying the theorem. 

2. In the transition-axiom approach, each Mi has the form 

3x : / x n TA^(U X ) n TA^Af) n L 

and we expect Mi to equal 3x : J x H TA^^iJA-x) fl TA^^Af), in which 
case hypothesis 2 is satisfied. 

3. As we mentioned in Section 5.1.2, this hypothesis means that the 
two components are distinct. They need be distinct only at the cur- 
rent level of abstraction; their implementations could contain common 
parts. For example, the two components might specify distinct pro- 
gram procedures, while their implementations both invoke a common 
subprocedure. We can consider the subprocedure to be executed by 
different agents depending upon which procedure invoked it. Alterna- 
tively, we can generalize our notion of implementation to allow renam- 
ing of agents. In practice, this hypothesis seems to be a petty nuisance 
of the formalism, not a real concern. 

4. When we write Mi directly, either as an abstract program or by any 
sort of logical formula, individual agents are not mentioned. The only 
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reference to agents is through the symbol "^'N so M2 is automatically 
^2-abstract. 



5.3.3 The Hypotheses of the Proof Rule 

We now show how one verifies the hypothesis E fl M\ fl M2 C E\ fl E% 
of the theorem's proof rule, using the systems J7i and II2 of Figure 3 as a 
generic example. 

Each of the "wires" inp, mid, and out will have an associated protocol 
that the systems on its two ends are expected to obey. For each wire w, 
let I w be the initial condition for the wire, let L™ be the property asserting 
that the agent set fj, correctly executes the protocol for the system on the 
left side of the wire, and let R™ be the corresponding property for the right 
side of the wire. 

For example, suppose the state component mid consists of a register r 
and two booleans rdy and ack, and that the following popular hardware 
protocol is used to pass values from a sender on the left to a receiver on the 
right. (Initially, the values of rdy and ack are equal.) 

send: begin loop receive: begin loop 



Let Af S eni an( i Af receive be the next-state relations of the sender's and re- 
ceiver's programs. For this protocol, I m%d is the initial predicate rdy = ack, 
the property L™* d equals TAf 1 (Af sen d), an( i R™ ld equals TA^ATreceive)- Data 
is properly transferred from J7i to II2 across mid in every behavior satis- 
fying the property I mii n L™ d n R™ d . 

We will not assume any particular protocols for inp, mid, and out. How- 
ever, we can ignore any liveness properties the protocols might require, since 
these properties cannot appear in the environment assumptions. Therefore, 
we assume that L™ and R™ are safety properties, for each wire w. 

In addition to specifying the mechanism by which values are sent over 
wire w, the protocol properties L™ and R™ can also specify what values 
are sent. Thus, it is reasonable to suppose that these protocol properties 
include any assumptions that a system makes about its environment. A 
system's environment assumption then asserts that the environment obeys 
its side of the protocol for each wire over which the system and environment 



await rdy = ack; 
write r; 

rdy := ^rdy 



await rdy 7^ ack; 
read r; 

ack := -^ack 



end loop 



end loop 
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communicate. The initial conditions for these wires must also be part of the 
environment assumption, since the environment is responsible for the initial 
values of all externally visible components. For the composition in Figure 3, 
we then get the following environment assumptions. 

E 1 = P nv n L™1 n i mid n R™ d 

771 rmid j raid, r-, rout r>out 

e 2 = 1 n n i n r^ 2 

n P Pi T Pi T m id 



E = P n ' p n l 



We have included in E the assumption that the composite system's envi- 
ronment does not affect mid. 

We cannot prove the hypothesis of the theorem without knowing some- 
thing about J7i, II 2, and the wires. The assumptions we will make, and 
their justifications, are listed below. 

Al. For any wire w and agent sets v\ and v^- 

(a) r^^ni^ci;^ 

(b) r^^n^cj?^ 

Property L™ asserts that agents in v% obey the left-side protocol for 
wire w. Actions that do not affect the wire cannot disobey the proto- 
col. Hence, if agents in vi obey the protocol and agents in v\ do not 
affect w, then agents in v\ U vi obey the protocol. Part (a) can be 
derived formally from three assumptions: (i) L™ u equals L™ 2 \^ 2 lUl/2 
(the property obtained by substituting v\ U vi for vi in L™ ), (ii) L™ 
constrains at most z/2, and (iii) L™ depends only on the w-component 
of the state. Part (b) has a similar justification. 

A2. (a) mcTA^(U 0Ut ) 
(b) C TA^Mnp) 

Figure 3 assumes that J7i does not affect out and II2 does not affect 
inp. Formally, these assumptions are Mi C TA^ihlout) an( i M2 C 
TA^iUinp), which imply A2 because TA^iKout) and TA^iU^) are 
safety properties. 

A3. mT n W 2 C L™ d n R™ d 

For the composite system to work properly, J7i and II2 must cooper- 
ate to guarantee that the protocol condition L™* d n -R™ 2 !<i is satisfied. 
Hence, M x n M 2 must be a subset of L™ d n R™ d . Since L™ d n R™ d is 
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a safety property, we expect it to contain Mi fl Mi only if it contains 
Mi fl Mi- This is an expectation, not a logical necessity. If we could 
always deduce A3 from M x n M 2 C Z™" n iE™", then proof rule (6) 
would be valid. 

With these assumptions, we can verify E fl Mi fl M 2 C E\ fl E 2 , the 
hypothesis of the theorem's proof rule. We prove that E fl Mi fl M 2 is a 
subset of Ei; proving that it is a subset of E2 is similar. Since E\ is the 
conjunction of four properties, there are four inclusions to verify. 

1. EnMiflljC P nv 

Proof: The definition of E implies that it is a subset of I m 'f . 

2. EnM^nM^c L 1 ^ 

Proof: This is proved by the following sequence of steps. 

2.1. W 2 C7A^(U IUV ) 
Proof: By A2(b). 

2.2. E C L m J , , . 

Proof: By definition of E. 

2.3. EHM^C L 1 ^ 

Proof: By 2.1, 2.2, and Al(a), substituting ^2 for v\ and — U ^2) 
for z/2, since the hypothesis that [i\ and ^2 are disjoint implies ^2 U 
-.(/ii U fi 2 ) = -'Mi. 

3. £ n MT n M2 c i mid 

Proof: By definition of E. 

4. ^ n MT n M2 c R™^ 

4.1. MT nMa c i?™ !<i 
Proof: By A3. 

4.2. E C TA^ liJll2 ){U m id) 
Proof: By definition of 

4.3. e n MTn M2 c 

Proof: By 4.1, 4.2, and Al(b), substituting — U fj, 2 ) f° r ^1 an( i M2 
for z/2, using the disjointness of ^i and ^2- 
This completes our justification of the hypothesis E fl Mi fl M2 C EiPiE 2 
for the composition of Figure 3. It was based on assumptions derived from 
the figure, with no assumptions about what TI\ and TI 2 are supposed to 
do. This example is therefore quite general, since mid represents all state 
components involved in communication between II \ and II 2, while inp and 
out represent the state components with which J7i and II2 interact with 
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the rest of their environments. The only real assumption implicit in the fig- 
ure is that the composite system's environment does not modify any state 
component that is accessed by both II \ and II \. Removing this assumption 
means that communication over mid involves a three-party protocol, requir- 
ing an additional property T™* d to be satisfied by the third party. (This 
would be represented pictorially by adding a third end to wire mid that is 
not connected to anything in Figure 3.) Correct transfer of data over wire 
mid then requires L™* d n R™* d fl T™^^ to hold. Our argument can be 
modified to handle the more general case. 

6 Concluding Remarks 

We have approached the problem of composing specifications from a purely 
semantic point of view. A formal specification method can use a language 
and logic based on this semantics. Our Theorem 2 would appear as a proof 
rule in the logic. We have touched lightly on logical issues in our discussion, 
mentioning what form some logical formulas might take. Some concluding 
remarks about language and logic are in order. 

The semantic form of our specifications suggests the general style of a 
specification language. Safety properties are expressed by describing a next- 
state relation, and progress properties are expressed either directly in some 
form of temporal logic, or with fairness conditions that can be translated 
into temporal logic. 

There are obvious desiderata for a specification language: it should be 
expressive, readable, concise, etc. There are also more precise attributes 
that the specification logic must have. Clearly, we want all the sets of 
behaviors expressed to be properties, meaning that they are closed under 
stuttering-equivalence. Another simple attribute of a logic is explicitness, 
meaning that whether or not a behavior satisfies a formula F depends only 
on the values assumed during the behavior by the state components that are 
free variables of F. Explicitness is necessary if existential quantification is 
to have its expected meaning, but it poses a surprisingly serious constraint 
on how specifications are written. For example, consider a formula F that 
specifies the assignment statement x := x + 1. If this formula is to assert 
that executing the assignment statement does not change y, then explicit- 
ness requires that y (and every other variable that is not changed) be free 
variables of F. A practical language must allow one to write the formula F 
so that y is a free variable of F even though it does not appear in the text. 
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Closure under stuttering-equivalence and explicitness may seem esoteric 
to readers accustomed to popular, simple semantics of programs. In a typical 
semantics, the formula specifying a program is satisfied only by behaviors 
in which each step corresponds to the execution of a program action — for 
example, this is the natural way to write a semantics using the "next-time" 
temporal operator. However, composition cannot be conjunction in such a 
semantics. For example, consider two completely noninteracting programs, 
with separate sets of variables, described by formulas F and G. A behavior of 
their composition is obtained by interleaving actions from the two programs. 
But such an interleaved behavior does not satisfy F, since it contains steps 
that do not represent actions of that program, nor does it satisfy G. Thus, 
the composition of the two programs is not described by the formula F A 
G. Closure under stuttering-equivalence and explicitness are needed for 
composition to be conjunction even in the trivial case of noninteracting 
programs. 

Many styles of specification have been proposed, ranging from abstract 
axioms in a specific logic to abstract programs in a specific language. Most 
of these styles can be adapted to our semantics, so they can make use of 
our results. However, these specification styles have usually been based on 
a particular semantic theory, and that underlying theory might have to be 
modified. Thus, one can still specify properties with CSP programs, but the 
traditional failure-set semantics of CSP [Hoa85] would have to be revisited. 
We are now investigating a transition-axiom method based on the temporal 
logic of actions [Lam90]. 

Appendix: Proofs 

This appendix contains the proofs of all propositions and theorems stated above. 
Also included are lemmas, which are used in the proofs but which are not mentioned 
in the main text. The proofs have been carried out to an excruciating level of detail, 
in a hierarchical style that is explained below. The reader may feel that we have 
given long, tedious proofs of obvious assertions. However, what he has not seen are 
the many equally obvious assertions that we discovered to be wrong only by trying 
to write similarly long, tedious proofs. We believe very strongly that reasoning 
must be carried out to this level of detail to avoid mistakes. Without these detailed 
proofs, we would have little confidence in the correctness of our results. 
The proofs employ the following definitions and notations. 

• We make all functions total by defining f(x) to equal _L when x is not in the 
domain of /. 
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• If p is a finite behavior prefix, a an agent, and s a state, then p ■ (a, s) is the 
behavior prefix obtained by concatenating — s to the end of p. 

• The length of a finite behavior prefix p, denoted \p\, is defined by \sq — ^ 
. . . — > s m \ = m. 

• We extend the definition of p\ m , previously defined only for a behavior p, in 
the obvious way when p is a finite behavior prefix and 0 < m < \<r\. (Thus 
cr|o is a prefix of length 0, consisting of a single state.) 

• For a finite behavior prefix p, the state p s is defined to equal s\ p \(p); and, 
when \p\ > 0, the agent p a is defined to equal a.\ p \(p). 

• A mapping / from behavior prefixes to behavior prefixes is monotone iff for 
all behavior prefixes a and r, if a is a prefix of r then /(c) is prefix of /(t). 
Observe that if / is monotone, then lim m ^oo /(c| m ) exists for any behavior 
c. 

• If / is a //-strategy, then a finite behavior prefix p is said to end according to 
P,f iff (i) \p\ = 0, or (ii) p a p, or (iii) = (p a ,p s )- Note that a 
behavior r is a //-outcome of / iff every finite prefix of r ends according to 

• If / is a //-strategy, then a finite behavior prefix p is said to be a partial 
p-outcome of / iff every prefix of p (including p itself) ends according to p, f. 

The proofs are written in a hierarchical style. A structured proof consists of a 
preamble followed by a sequence of statements, each with its own proof. A proof 
that uses a case split will have a separate proof for each case. 

The preamble describes the assumptions that are to be made, the desired con- 
clusion, and why this conclusion implies the result to be proved. It may also contain 
an informal description of the proof. The proof statement or statements that assert 
the preamble's desired conclusion are indicated by boxed statement numbers. The 
preamble is omitted if the assumptions and conclusion are obvious. 

A sufficiently simple proof is not structured, being written in the customary 
paragraph style. Some proof statements serve only to make definitions and require 
no proof. 

Lemma 1 For any agent set p, if (i) f is a p-strategy, (ii) c £ O^f), and 
(in) a' ~ a, then there exists a p-strategy f such that (iv) a' £ O^f) and 
(v) every behavior in O^f) is stuttering- equivalent to some behavior in O^f). 

Proof of Lemma 1 

We assume p is an agent set, / a //-strategy, a £ O^f), and a' ~ a; and we 
construct the required /'. We will define /' so it "tries to produce" a' if that is 
still possible; otherwise it tries to act like /. This means that /' has to switch 
from trying to produce a' to acting like / if the environment causes the behavior 
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to diverge from a' . Our formal definition will be driven by the need for /' to make 
this switch smoothly. We will first define a mapping S on behavior prefixes such 
that S maps prefixes of a' to prefixes of a, and S(/>) is stuttering-equivalent to p 
for any behavior prefix p. We will then define /'(/>) to equal /(S(/>)) if p is not a 
prefix of a' . 

1. For any finite behavior prefix p, define the finite behavior prefix S(/>) inductively 
as follows. 

if \p\ = 0 then S(/>) = p 

if p = 9 ■ (a, s) then if p is a prefix of a' 

then S(/>) is the smallest prefix of a 

that is stuttering-equivalent to p 
else S(/>) = S(#) • (a, s) 

2. For any finite behavior prefix p that is not a prefix of a', S(/>) = S(/o|fc) • 
(sLk+iip), Sk+i(p)) ■ ■ ■ (/0a, Ps), where k is the smallest natural number such that 
p\k+i is not a prefix of a' . 

Proof: From 1, by a simple induction on \p\ — k. 

3. For any behavior r, define S(r) as follows. 

if r = a' then S(r) = u 

else S(t) = lim m ^oo S(r| m ) 
Then S(r) is a behavior. 

Proof: If r = c', then S(r) is a behavior because a is. If r ^ a' , then 2 implies 
that lim m ^oo S(r| m ) exists and is infinite. 

4. S(t) ~ r for any behavior r. 

Proof: If r = c', then the result follows from 3 and the hypothesis that 
a' ~ a. If t ^ cr', then 2 and 3 imply S(r) = S(r| fc ) • (a fc+ i(r), s fc+ i(r)) • 
(sLk + 2{T), Sk+2{j)) ■ ■ ■, where t|/% is a prefix of a' or k = 0. The result now 
follows from 1, which implies S(t|/%) ~ t|/%. 

5. For any finite behavior prefix p, define f'(p) as follows. 

if p = a'\ k then if a k+ i(a') £ p then /'(p) = (a k+ i(a'), s k+1 (a')) 

else f'(p) = ± 

if /9 is not a prefix of a' then f'(p) = /(S(/o)) 

Then /' is a //-strategy. 

Proof: Follows from the hypothesis that / is a //-strategy. 

Proof: It follows from the definition of /' that c' is a //-outcome of /'. It is 
a fair outcome because a. k+ i(a') p implies f'((r'\k) = -L, so if there are only 
finitely many p actions in a' , then /' is undefined on infinitely many prefixes of 
a'. 

If r is a fair //-outcome of /', then S(r) is a fair //-outcome of /. 
Proof: If r = a' , then S(r) = a, and a is a fair //-outcome of / by hypothesis. 
We assume that r is a fair //-outcome of /' and t ^ a' , and we prove that S(r) 
is a fair //-outcome of /. 
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7.1. Choose k to be the largest natural number j such that t\j = cr'\j, or —1 if 
there is no such j. Let / equal |S(r|j;)| if k > 0, or —1 if Ar = —1. For all i > 0: 
(i) if > 0 then S(r)| (+i = S(r| fc ) • (a fc+ i(r), s fc+ i(r)) • • • (a fc+i (r), s fc+i (r)), 
and (ii) if Ar = —1 then S(r)|; = r|;. 

Proof: The existence of follows from the hypothesis that r 7^ c'. Case (i) 
follows by induction on i from 2 and 3. Case (ii) follows from 1, 2 (where 
the k of step 2 is 0), and 3. 

7.2. /(H(r)| /+i ) = /'(rlt+i) for all i > 0. 
Proof: By 7.1 and 5. 

7.3. Every finite prefix of S(r) ends according to /. 

Proof: Let m be any natural number. We show that S(r)| m ends according 
to /i, f. The proof is split into three cases. 
Case 7.3A . m < / 

In this case, k > 0. We have S(r)| m is a prefix of S(r)|/, which equals S(r|fc) 
(by definition of / in 7.1, since k > 0), which in turn is a prefix of a. Hence, 
S(r)| m ends according to /i, f by the assumption that a is in O^f). 
Case 7.3B . m = 1 + / 

If m = 0, then the result is trivial because any sequence of length 0 ends 
according to /i, f. Assume m > 0, so ra = 1 + I implies that / > 0, which 
implies k > 0. If a m (S(r)) G "'/U, then the result is trivial. It therefore 
suffices to prove a m (S(r)) £ -i/j,. Intuitively, this holds because only the en- 
vironment can make the behavior diverge from a' . Formally, we assume that 
a m (S(r)) G and prove t|j;+i = c'^+i, which contradicts the definition of 
k in 7.1. 

7.3B.1. a m (S(r)) = a fc+ i(r) 

Proof: By 7.1 and the assumption that m = 1 + /. 
7.3B.2. /'(r| Jfe ) = (a Jfe+ i(r),s Jfe+ i(r)) 

Proof: By 7.3B.1 and the assumptions that a m (S(r)) G /U and that 

r is a //-outcome of /'. 
7.3B.3. f'(T\ k ) = ( S L k+1 (a'), Sk+1 (a')) 

Proof: By 5 (the definition of /'), since r\ k is a prefix of a' and 

7.3B.2 implies that /'(r^) is defined. 

7.3B.4.| r| fc+ i = a'\ k+1 

Proof: By 7.3B.2 and 7.3B.3, since r\ k = a'\ k by 7.1. 
Case 7.3C . m> l + l 
--E(r) 



7.3C.1. S(r)| m = S(r)| m _i • (a fc+m _ ; (r), s fc+m _ ; (r)) 
Proof: By applying 7.1 twice, substituting m 



1 and m — I for 



7.3C.2. /(H(r)| m _i) = /'(r|, +m _ ; _ 1 ). 
Proof: By 7.2 with m — 
m > 1 + / implies i > 0. 

7.3C.3. S(r)| m ends according to jj,,f 



1 substituted for i, since the hypothesis 
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7.4. 



Proof: By 7.3C.1, 7.3C.2, and the hypothesis that r is a //-outcome 
of /'. 

S(t) is a fair //-outcome of /. 
Proof: By 7.3, S(r) is a //-outcome of /. We now show that it is fair. By 
7.1, S(t) has infinitely many p actions iff r does. By 7.2, / is undefined on 
infinitely many prefixes of S(r) iff/' is undefined on infinitely many prefixes 
of r. Hence, S(r) is fair because r is assumed to be a fair //-outcome of /'. 
8. Every behavior in O^lf) is stuttering-equivalent to a behavior in O^f) . 

Proof: By 4 and 7. 
End proof of Lemma 1 

Lemma 2 For any agent set p, if (i) f is a p-strategy, (ii) a £ O^f), and (Hi) a' 
is p- equivalent to a, then there exists a p-strategy f such that (iv) a' £ O^f) and 
(v) every behavior in O^f) is p- equivalent to some behavior in O^f). 

Proof of Lemma 2 

The proof is almost identical to that of Lemma 1, except with ~ replaced by //- 
equivalence. The definition of S in step 1 becomes: 
if \p\ = 0 then S(/>) = p 

if p = 9 ■ (a, s) then if p is a prefix of a' 

then S(/>) is the prefix of a 

of the same length as p 
else S(/>) = S(#) • (a, s) 

The proof becomes a bit simpler because / equals k in step 7.1. We omit the details. 
End Proof of Lemma 2 



Proposition 1 For every agent set p, if P is a property then TZ^iP) is a property, 
and if P is p-abstract then TZ^iP) is p-abstract. 

Proof of Proposition 1 

The first part of the proposition, that if P is a property then TZ^iP) is also a 
property, follows immediately from Lemma 1 and the definitions. The second part, 
that if P is //-abstract then TZ^iP) is also //-abstract, follows from Lemma 2. 
End Proof of Proposition 1 

Lemma 3 For any agent set p, if (i) f is a p-strategy and (it) a £ O^f), then 
there exists a behavior a' and a total p-strategy f that is invariant under ->p- 
stuttering such that (Hi) a' ~ a, (iv) a' £ 0 |[1 (/'), and (v) every behavior in 
is stuttering-equivalent to a behavior in O^f). 

Proof of Lemma 3 

We assume that / is a //-strategy and a £ O^lf), and we will construct the required 
/' and a'. Instead of using a and / directly, for technical reasons we will construct 
a new behavior <f> in step 1 by adding an infinite number of -i //-stuttering steps to 
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a, and will use Lemma 1 to obtain a strategy g that produces <f>. The behavior a' 
will be obtained (in step 8) by replacing -i //-stuttering steps in <f> by //-stuttering 
steps. We will construct /' (in step 5) so it tries to produce a' and, failing that, 
to simulate g. To make /' total, we will define it to stutter when g would be 
undefined. This requires /' to interpret //-stuttering steps produced in this way as 
if they were -i //-stuttering steps — an interpretation performed by the mapping A, 
defined in step 3. The behavior prefix A(/>) will be obtained from p by replacing 
//-stuttering steps with -i //-stuttering steps if either that will lead to a prefix of 
<f>, or those //-stuttering steps were produced by /' because g was undefined. To 
make /' invariant under -i //-stuttering, we will define /' in terms of S, the mapping 
obtained by removing -i //-stuttering steps and then applying A. 

1. Choose a behavior <f> such that <f> ~ a and <f> contains infinitely many ->p- 
stuttering steps, and choose a //-strategy g such that <f> £ O ^(g) and every 
behavior in O ^(g) is stuttering-equivalent to a behavior in O^f). 

Proof: The existence of <f> follows from the assumption that // is an agent set, so 
-i// is nonempty. The existence of g follows from Lemma 1. 

2. Choose agents [3^ in // and 0-,^ in ->p. 

Proof: Since // is an agent set, // and ->p are nonempty. 

3. For any finite behavior prefix p, define A(/>) as follows. 

if \p\ = 0 then A(p) = p 

if p = 9 ■ (a, s) 

then if (A(0) = (t>\ k ) A(s = 6 s = s k (<f>) = s k+1 (<f>)) A 
(a £ p) A (a k+ i((j>) £ ^p) 
where k = \A(0)\ 
then A(p) = <j>\ k +i 

else if (s = 6 S ) A (a £ //) A (fif(A(6»)) = ±) 
then A(p) = A(0) -(/3^,s) 
else A(p) = A(0) ■ (a, s) 

For any behavior r, define A(r) to equal lim m ^oo A(r| m ). 

Proof: The mapping A is monotone on finite behavior prefixes, so the limit 
exists. 

4. For any any behavior prefix r, let S(r) = A(^-, |[1 (r)). Then r ~ S(r). 

Proof: By definition, tl-^r ~ r. It follows from 3 (the definition of A) by 
induction on the length of p that A(p) ~ p for any finite behavior prefix p. Since 
A(t) equals lim m ^oo A(r| m ) (by 3), this implies that A(r) ~ r for any behavior 
r. Hence, S(r) ~ r. 

5. For any finite behavior prefix p, define /'(/>) as follows. 

if (E(p) = <f>\ k ) A (s k+1 (<f>) = s k (<f>)) A (a k+1 (<f>) £ -//) 
where k = |S(/>)|, or 

aim) = -i- 

then f(p) = (^,p s ) 
else f'(p) = g(E(p)) 
Then /' is a total //-strategy that is invariant under ->p stuttering. 
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Proof: Since g is a //-strategy and [3^ is in //, it follows that /' is a //-strategy. 



P iff tlV 



nP, the definitions of S (in step 4) and /' imply that 



6.2. 



/' is invariant under -i //-stuttering. By definition, /' is a total function. 
6. S(t) £ O^ig) for any behavior r G 0 ,,(/')• 

Proof: We assume r £ and prove S(r) 6 O^g). It is simpler to prove 

S(t) G O ^{g) if r has no -i //-stuttering steps. We will therefore prove tl-^r 6 
C;i(fi f ) (step 6.6) and then observe (in the proof of 6.7) that S(r) equals S(t]-, /J r). 
The proof of S^-^r) G O^g) is an intricate exercise in verifying that our 
definitions of A and /' work properly. 

6.1. For any behavior prefix ip, \A(ip)\ = \ip\, and if ip = ^^ip then S(t/>) = A(t/>). 
Proof: First, assume that ip is finite. A simple induction on \ip\ shows that 
A is length-preserving. If ip = ^^ip, then 4 (the definition of S) implies 
S(t/>) = A(t/>). The case of ip infinite follows from the finite case by taking 
limits. 

Let p be a finite behavior prefix with p = t]-,^/? and let m equal \p\. If 
S(/>) = r) ■ (a, s) and a G //, then 

(a) a = a m (/>) and s = s m (p), 

(b) rj = A(/>| m _i), and 

(c) if s m (p) = s m _i(/>), then neither (i) rj = <j>\ m -i, s m (<j>) = s m _i(0), and 
&m{4>) £ "'A 4 , nor (ii) ff(»7) = -L holds. 

Proof: We assume /> = t]-,^/?, S(/>) = rj ■ (a,s), and a G //, and we prove 
(a)-(c). 

6.2.1. For any finite 0, (i) A(0) s = 0 S , and (ii)if A(0) a G // then A(0) a = Or- 
Proof: By 3. 

a = a m (p) and s = s m (p). 

Proof: By 6.2.1, since 6.1 implies S(/>) = A(/>). 
»7 = A(/>| m _i) 

Proof: By 6.1, ?/ • (a,s) = A(/>), and 3 (the definition of A) implies 
that A(/>) = A(/>| m _i) • (j,t) for some 7 and t. 

If s m (p) = s m _i(/>), then it is not the case that: (i) rj = <f>\ m _i, 
(ii) s m (<?i) = s m _i(0), and (iii) a m (<£) G -■//. 

Proof: We assume (i)-(iii) and (iv) s m (p) = s m _i(/>), and we obtain 
a contradiction. Let 6 equal />| m _i. Then rj equals A(6) by 6.2.3, and 
s = 6 S = s m _i(<^) by (i), (iv), and 6.2.1. Applying 3 with m — 1 
substituted for fc, using 6.1 (to infer |S(/>| m _i)| = m — 1) and the 
assumption that a G //, yields A(/>) = <p\ m . Hence, a = a. m (<p), which 
by (iii) contradicts the assumption a G //• 
If s m (p) = s m _i(/>), then g(rj) ^ _L. 

Proof: We assume (i) s m (p) = s m _i(/>) and (ii) g(rj) = _L, and we 
obtain a contradiction. Let 9 = p\ m -\. Then rj equals A(6) by 6.2.3, 
so s = 6 S by 6.2.1 and (i). By 6.2.4 and 3 (the definition of A), we 
see that (ii), s = 6 S , and the hypothesis a G // imply A(/>) a = /?-, M . 
This contradicts the hypothesis that a, which equals A(/>) a , is in //. 



6.2.2. 



6.2.3. 



6.2.4. 



6.2.5. 
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6.3. For any finite behavior prefix p, if p = t]-,^/? and p ends according to p, /', 
then S(/>) ends according to p,g. 

Proof: We assume that p = t]-,^/? and /> ends according to /(,/', and we 
prove that S(/>) ends according to p,g. Since this is trivial if |S(/>)| = 0 or 
2(p)a £ "'A 4 , it suffices to assume that S(/>) = rj ■ (a, s) with a <E p and prove 
that (a,s) = g(f]). Let m equal \p\. 

6.3.1. (a, s) = f'(p\ m -i) 

Proof: By 6.2(a) and the hypothesis that p ends according to p,f. 

6.3.2. ry = S(/>| m _i) 

Proo/: By 6.1 and 6.2(b). 

6.3.3. f'(p\ m -i) = g(E(p\ m _ 1 )) 

Proof: We assume f'(p\ m -i) ^ </(S(/>| m _i)) and obtain a contra- 
diction. Substituting p\ m -i for p in 5 shows that if f'(p\ m -i) ^ 
g(Z(p\ m _i)) then f'(p\ m -i) = s m _i (/?)). Hence, 6.3.1 and 6.2(a) 
imply s m (p) = s m -i(p). Substituting p\ m -i for p in 5 again, and us- 
ing 6.1 to infer |S(/>| m _i)| = m — 1, then shows that 6.3.2 and 6.2(c) 
imply f'(p\ m -i) = £f(S(/o| m _i)), which is the required contradiction. 

6.3.4. | (a, s) = g(r]). 

Proof: By 6.3.1-6.3.3. 

6.4. (a) a m (r) 6 /( for infinitely many values of m, and (b) tl-^r G 0 |[1 (/'). 
Proof: Part (a) follows from the hypothesis that r £ O^if ), since /' is a 
total function. This implies that tl-^r is a behavior. Since /' is invariant 
under -i //-stuttering, r is an outcome of /' iff tl-^r is. The behavior tl-^r is 
a fair outcome because (a) implies that it contains infinitely many p actions. 

6.5. S(^-, |[1 r) is a /(-outcome of g. 

Proof: The definition of t]-,^ implies that p = t]-,^/? for every prefix /> of 
t]- 1/J T. By monotonicity of A and 6.1, every prefix of S(t]-, /J r) equals S(^-, |[1 />) 
for some finite prefix p of r. The result then follows from 6.4(b) and 6.3. 

6.6. HMef,(s) 

Proof: Let ip denote ^-.^r. By 6.5, it suffices to prove that a m (S(t/>)) £ /( or 
</(S(t/>)| m ) = _L, for infinitely many values of m. Since <f> £ O^g), we may 
assume that S(t/>) 7^ <f>. 

6.6.1. A(i/>) I = A(-0 1 ) for any natural number k. 

Proof: By 3, which asserts that A(t/>) = lim m ^oo A(t/>| m ), and 6.1. 

6.6.2. Choose k such that S(t/>)|;% is not a prefix of <f>. 

Proof: The existence of k follows from the hypothesis that S(t/>) ^ <f>. 

6.6.3. For all m > k, if a m (t/>) £ p then a m (S(t/>)) £ p or #(S(t/>)| m _i) = _L. 
Proof: Substituting t/>| m for /> in 3 yields 

if A(t/>| m -i) = 4>\k A . . . 
then . . . 

else if £f(A(V>| m -i)) = 1 A ... 
then . . . 

else A(t/>| m ) = (a m (t/>), • • •) 
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6.6.4. 



6.6.5. 



6.7. 



8. 



By 6.6.1 and 6.6.2, m > k implies A(t/>| m _i) is not a prefix of <f>. 
Hence, A(t/>| m )a = a m (t/>) or #(A(t/>|m-i)) = _L. But 6.6.1 implies 
A(t/>U)a = a m (A(t/>)) and #(A(t/>| m -i)) = #(A(t/>)|m-i)- Hence, 
&m(ip) £ A* implies a m (A(t/>)) G /( or </(A(t/>)| m _i) = _L. The result 
now follows from 6.1, which implies that A(t/>) = S(t/>). 
&m(ip) £ A* f° r infinitely many values of m. 

Proof: By 6.4(a), since ip = tl-^r and t]-,^ preserves actions in /(. 
a m (S(t/>)) G /( or </(S(t/>)| m ) = _L, for infinitely many values of m. 
Proof: By 6.6.3 and 6.6.4, since A m V 5 m holds for infinitely many 
values of m iff A m holds for infinitely many values of m or B m holds 
for infinitely many values of m. 

Proof: By 6.6, since S(t]-, /J r) = S(r) by 4 (the definition of S) and the 
idempotence of t]-,^. 

| 7.| For any behavior r G O II (f ), there exists a behavior v G O II (f) such that u ~ r. 
Proof: By 6, r G O^f) implies S(r) G O^g). By 1, there exists a behavior u 
in O n(g) such that S(r) ~ v. By 4, r ~ S(r). The transitivity of ~ then yields 
r ~ v. 

There exists a behavior a' G O^f) such that c' ~ c 

Proof: We will construct c' from <f> by replacing -i //-stuttering steps with /(- 
stuttering steps. The proof that a' is a /(-outcome of /' is a matter of checking 
the definitions of A and /'. Fairness will follow from having chosen <f> with 
infinitely many -i /(-stuttering steps. 

8.1. Define a' as follows. For all k > 0, 
s k (a') = s k (<j>) 

if a k+ i((j>) G ->fJ, A s k+1 (<j>) = s k (<j>) 
then a k+ i(a') = (3^ 
else a fc+ i((r') = a. k+1 (<j>) 

8.2. ^^(o-'Ia,) = a'\ k for all A > 0. 
Proof: By the definition 8.1, a' has no -i /(-stuttering steps. 

8.3. A(a'\ k ) = <f>\ k for all k > 0. 
Proof: The proof is by induction on The result is obvious for k = 0. We 
assume it true for k and prove it for k + 1. We consider two cases: 
Case 8.3A . a k+ i(a') ^ a. k+ i(<f>) 

8.3A.1. a k+ i(a') G /(, a fc+ i((^) G -■/(, and s &+ i (0) = s k (<j>). 

Proof: By the definition of a' and the assumption that a k+ i(a') ^ 
a k+ i(<f>). 
8.3A.2. sjfe + i(<7') = sjfe(<7'). 

Proof: By 8.1 (the definition of a') and 8.3A.1, since s m (c') = 
s m (<^) for all m. 
A(cr'| fc + i) = <j>\ k + i 

Proof: By the induction hypothesis, 8.1, 8.3A.1, 8.3A.2, and 3 (the 
definition of A). 



8.3A.3. 
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Case 8.3B . a k+1 (a r ) = a k+1 (<f>) 

We assume that A(cr / |^_|_i) ^ 4>\k+i and obtain a contradiction. 
8.3B.1. ajfe + i(<7') G n and g(A(a'\ k )) = J_. 

Proof: By the induction hypothesis, 8.1 (which implies Sk+i(<f>) = 
Sfc_|_i((r')), the assumption that A(a'\k+i) ^ <f>\k+i, and 3 (the defi- 
nition of A). 
8.3B.2. & k+ i((j)) G // and g((j>\k) = _L 

Proof: By 8.3B.1, the hypothesis that a k+ i(a') = a k+ i((f)), and the 
induction hypothesis that A(a'\k) = <f>\k- 
8.3B.3. Contradiction. 

Proof: 8.3B.2 and the hypothesis that <f> is a //-outcome of g. 
8.4. E(a'\ k ) = (t>\ k for all k > 0. 

Proo/: By 8.2, 8.3, and 4 (the definition of S). 
a 1 ~ <r 

Proof: 8.2, 8.3, and the definition of S imply <^ = S(cr'). Step 4 asserts 
a' ~ S(cr'), so a' ~ By 1, <f> ~ c, so c' ~ a follows from the transitivity 
of ~ 



8.5 



Proof: Since <f> contains an infinite number of -i //-stuttering steps (by 1), 8.1 
(the definition of a') implies that a m (a 1 ) G // for infinitely many values of m. 
Therefore, to show that a 1 G O^if ), it suffices to assume that a m+ i(a') G // 
and prove that (a m +i(c / ), s m +i(c / )) = f'(cr'\ m ). We consider two cases. 
Case 8.6A . a m+ i(<r') ^ a m+ i((f)) 

8.6A.1. a m+ i((j>) G -■/«, s m+ i (0) = s m (<j>), and a m+ i(cr') = fi^. 
Proof: By 8.1 (the definition of a'). 



8.6A.2.| /V| m ) = K+iKl.ViK)). 

Proof: By 8.6A.1, 8.4, 8.1 (which implies s m (c') = s m (<^) and 
s m _|_i((r') = s m+ i ((/))), and the definition of /'. 
Case 8.6B . a m+ i(<r') = a m+ i((f)) 
8.6B.1. g{<f>\ m ) = (a m+ i((j>),s m+ i((j>)) 

Proof: Since a m+ i(a') is assumed to be in //, and <f> is a //-outcome 
of g. 

8.6B.2. /VU) =fl(H(<7'| m )) 

Proof: By definition of /', since a m +i(<^) G // by hypothesis, 
</(</>| m ) ^ ± by 8.6B.1, and a'\ m = </>\ m by 8.4. 

8.6B.3.| /V| m ) = K + iK),s m+1 (.')) 

Proof: By 8.6B.1, 8.6B.2, 8.1, 8.4, and the assumption a m +i(c / ) = 

a m +i(^)- 
End Proof of Lemma 3 

Proposition 2 For any agent set // and any property P, let S^P) be the subset 
of IZfilP) consisting of the union of all sets O^f) contained in P such that f is 
a total /^-strategy that is invariant under —^-stuttering. Then every behavior in 
TZfi(P) is stuttering- equivalent to a behavior in S^P). 



56 



Proof of Proposition 2 

This is an immediate consequence of Lemma 3. 
End Proof of Proposition 2 

Proposition 3 For any properties P and Q and any agent set \i, if P C Q then 

n^p)cn^Q). 

Proof of Proposition 3 

We assume P C Q and a G TZ^P), and we prove a G TZ^iQ). 

1. Choose a //-strategy / such that a G O^lf) C P. 

Proof: The existence of / follows from the definition of TZ^P). 

2. it G Oft(f) C Q 
Proof: 1 and the hypothesis P Q Q. 
<re^(Q) 

Proof: By 2 and the definition oiTZ^iQ). 
End Proof of Proposition 3 

Proposition 4 Por ani/ property P and agent set \i, 1Z ^{IZ ^{P)) = TZ^P). 
Proof of Proposition 4 

We assume that P is a property and \i is an agent set, and we prove 1Z ^{IZ ^{P)) = 
TZ^iP). The set TZ^P) consists of all outcomes of winning strategies when the 
system is trying to produce an outcome in P. Any such strategy is also a winning 
strategy when the system is trying to produce an outcome in TZ^P), so TZ^iTZ^^P)) 
must equal TZ^P). The formal proof is as follows. 

\i]iz,(iz,(p))ciz,(p) 

Proof: By Proposition 3, since TZ^P) C P. 
\2]1Z,(P)C1Z,(1Z,(P)) 

Proof: We assume that a G TZ^P) and prove that a G TZ^iTZ^P)). 

2.1. Choose a //-strategy / such that a G O^f) C P. 
Proof: f exists by definition oUZ^F). 

2.2. C^(P)_ _ 

Proof: By definition oUZ^F). 

2.3. a en^n^p)) 

Proof: By definition of IZ^IZ^P)), since £>,,(/) C ^(P) by 2.2 and 
by 2.1. 

End Proof of Proposition 4 



Proposition 5 Por ani/ property P and agent set \i, 7Z^(P) = 7Z^(P) fl P. 
Pro of of Proposition 5 



Proof: 7Zfi(P) is included both in 7Z^(P) (by the definition of closure) and in 
P (by the definition oiTZ^). 
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Proof: We assume a G TZ^iP) fl P and prove a G TZ^iP). By definition of 
TZ^iP), it suffices to prove that there exists a //-strategy / such that a G O^f) 
and Ofilf) CP. To construct /, we will choose a sequence of behaviors 
in IZfilP) having a as their limit, and strategies that produce the <f>i. We 
will define / so it tries to produce a. As it does so, it is acting like for all 
sufficiently large i. When / can no longer produce a, it continues to act like 
one of the g, . 

2.1. For all i > 0, choose a behavior <f>i in TZ^iP) such that a\i is a prefix of <f>i. 
Proof: The <f>i exist by definition of closure, since a G TZ^iP) 

2.2. For all « > 0, choose a //-strategy g, such that a\i is a prefix of a fair 
outcome of g, and O^gi) C P. 

Proof: By 2.1, there exist //-strategies with G O^gi) C P in 2.1. 

2.3. Define the //-strategy / as follows. 

if p = <j|j for some j 

then if aj+i(cr) G // then /(/>) = (a i+ i(cr), s i+ i(cr)) 

else f(p) = _L 
else f(p) = gi{p), where i is the smallest integer 
such that p\i ^ a\i 
Proof: f is a //-strategy since each is (by 2.2). 

Proof: By 2.3, if a m (<r) G // then /(cr| m _i) = (a m (<r), s m (<r)), for all 
m > 0. Thus d is a //-outcome of /. Furthermore, 2.3 implies that f(cr\ m ) 
is undefined if a m +i(c) G so a is fair. 
2.5. For all r G 0^(7), \{ t ^ a then r G O^gi) for some i. 

Proof: Assume r G O^if) and t/it. Let i be the smallest integer such 
that r\i ^ cr|j'. We show that r G C |[1 ((/i). 

2.5.1. For all j > », /(r|,) = g^). 

Proof: By definition of i, if j > i then <r|j 7^ r|j. The result then 
follows from 2.3 (the definition of /). 

2.5.2. r is a //-outcome of 

Proof: We must show that for all j > 0, if aj+i(r) G // then </i(T|j) = 
(aj_|_i(r), Sj_|_i(r)). We split the proof into two cases. 
Case 2.5.2A . j < i 
2.5.2A.1. a\j = t\j 

Proof: By the hypothesis that j < i and the definition of 

i. 

2.5.2A.2. (a i+ i(r),s i+ i(r)) = (a i+ i(cr), s i+ i(cr)) 

Proof: By 2.5.2A.1, 2.3, and the hypotheses that r is a 
//-outcome of / and aj+i(r) G //• 

2.5.2A.3. <r|j+i is a prefix of a\{. 

Proof: By hypothesis that j < i. 

2.5.2A.4. ff.-(o-lj-) = (a,- + i(<7),s i+ i(<7)) 
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2.5.2A.5. 



2.6. 



Proof: 2.5.2A.2 and the assumption aj+i(r) 6 // imply 
aj_|_i((r) G //• The result then follows from 2.5.2A.3 and 
2.2, which asserts that a\i is a partial //-outcome of 

9i( T \j) = ( a i+i(' r )> s i+i(' r )) 
Proof: By 2.5.2A.1, 2.5.2A.2, and 2.5.2A.4. 
Case 2.5.2B . j > i 

2.5.1 and the two hypotheses r £ O^if) and aj+i(r) 6 // imply 

9i( T \j) = (a i+ i(r),s i+ i(r)). 

2.5.3. r is a fair //-outcome of 

Proof: 2.5.2 asserts that r is a //-outcome of and fairness follows 
from 2.5.1 and the assumption that r is a fair outcome of /. 
0,(f) CP 

Proof: We assume r £ O^f) and prove that r £ P. This is immediate if 
t = a, because a is in P by hypothesis. If r ^ c, it follows from 2.5 and 
2.2. 

End Proof of Proposition 5 

Proposition 6 For any nonempty safety property P and any agent set p, property 
P constrains at most p iff P = TZ^iP). 

Proof of Proposition 6 

We assume that P is a nonempty safety property and p is an agent set. Since 
KfiiP) Q P by definition of K^P), it suffices to prove that P C n^P) iff P 
con strains at most \i. 

| l.| If P constrains at most fi, then P C TZ^P). 

Proof: We assume that a is any behavior in P and construct a //-strategy / 
such that a £ O^f) and O^lf) C P. We will define / so it tries to produce 
the outcome a and does nothing if this is no longer possible. Since P is a safety 
property, doing nothing cannot violate P. 
1.1. For any finite behavior prefix p, define f(p) by 
if p = <j\ m and a m +i(c) £ //, for some m 
then /(/>) = (a m+ i(cr), s 

m + 1 

(*)) 

else /(/>) = ± 
Then / is a //-strategy. 
Proof: f is obviously a //-strategy. 

Proof: It is immediate from 1.1 (the definition of /) that a is a //-outcome 
of/. It is a fair //-outcome because a m +i(c) £ ->p implies that f(cr\ m ) = ±. 
T3](9 M (/) C P 

Proof: We assume that r is an arbitrary behavior in O^if) but not in P 
and derive a contradiction. 

1.3.1. Let m be the smallest integer such that r| m ^ P. 

Proof: m exists because P is a safety property and, by hypothesis, 

T £ P. 



1.2. 



59 



1.3.2. m > 0 and a m (r) G P- 
Proof: By 1.3.1 and the hypothesis that P constrains at most p. 

1.3.3. /(r| m _i) = (a m (r),s m (r)) 
Proof: By 1.3.2 and the hypothesis that r is a //-outcome of /. 

1.3.4. (a m (r),s m (r)) = (a m (cr), s m (cr)) 
Proof: By 1.3.3 and 1.1 (the definition of /). 

1.3.5. r| m _i = <r| m _i 
Proof: By 1.3.3, since 1.1 (the definition of /) implies p is in the 
domain of / iff p is a prefix of a. 

1.3.6. r| m = <r| m 
Proof: By 1.3.4 and 1.3.5. 

1.3.7. ^Uep 

Proof: By the hypotheses that P is a safety property and a 6 -P. 

1.3.8. Contradiction. 

Proo/: 1.3.1, 1.3.6, and 1.3.7. 
If P C TZ^iP), then P constrains at most p. 

Proof: We assume that P does not constrain at most p and prove that there 
exists a behavior in P that is not in TZ^iP). The behavior will be one in which 
the environment could have taken a step that would have violated P , but chose 
not to. Thus, the behavior cannot be produced by a winning strategy for p. 

2.1. Choose a P and m > 0 such that a\ m P and either (i) m = 0 or 
(ii) cr| m _i £ P and a m (<r) ^ //. 

Proof: Such a c exists by the assumption that P does not constrain at 
most p. 

2.2. If m = 0 then ^(P) = 0. 

Proof: We assume m = 0 and prove that TZ^iP) = 0. The proof involves 
showing that if there is some initial state in which the system loses, then 
it has no winning strategy. 

2.2.1. For any behavior r, if so(t) = so(c) then r ^ P. 

Proof: 2.1 and the hypothesis m = 0 imply <r|o (fi P. Hence, so(t) = 
so (it) implies r|o ^ P, which implies r ^ P because P is a safety 
property. 

2.2.2. For any state s and any //-strategy /, there exists a behavior r £ 
Ofilf) such that so(t) = s. 

Proof: Let s be any state and let a be any agent not in p. Define 
r inductively by letting so(t) = s and for i > 0, if r|;_i is in the 
domain of/, then (a;(r), s;(r)) = /(r| 8 _i), otherwise a 8 (r) = a and 

S;(t) = S;_i(t). 

2.2.3. \ ll^P) = 0 

Proof: 2.2.1 and 2.2.2 imply that there exists no //-strategy / with 
0,(f) C P_ 

2.3. If m > 0, then u| m _i is in P but not in TZ^P). 
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Proof: Assume m > 0, so u| m _i G P by 2.1. Let / be any //-strategy with 
<r| m _i G 0 |[1 (/). We prove that there exists a behavior r in O^if) that is 
not in P. We will take r to be an outcome in which u| m _i is produced and 
then the environment adds (a m (c), s m (c)). 

2.3.1. Let a be any agent in and let r be the behavior such that 
r| m = <r\ m and, for all i > m, if r|;_i is in the domain of /, then 
(a;(r), s;(t)) = /(t| 8 _i), otherwise a;(r) = a and s;(r) = s 8 _i(t). 

Proof: To prove that r is a //-outcome of /, we must show that for 
all i > 0, if a;(r) G // then (a;(r), s;(r)) = /(r|;_i). For i < m, this 
follows because r|; = <r\i (by 2.3.1) and u| m _i is a //-outcome of / 
(by hypothesis). For i = m— 1, it follows because a m (<r) ^ // (by 2.1 
and the assumption that m > 0). For i > m, it follows immediately 
from the definition of r. Fairness follows from the definition of r. 



2.3.2. 



2.3.3.| r £ P 

Proof: <r\ m P by 2.1 (the choice of a), and r| m = <r| m by 2.3.1 
(the definition of r), so r| m ^ P. Since P is a safety property, this 
implies r ^ P. 
There exists a behavior in P that is not in TZ^iP). 
Proof: If m > 0, this follows from 2.3. If m = 0, it follows from 2.2 and 
the hypothesis that P is nonempty. 
End Proof of Proposition 6 



2.4. 



Proposition 7 For any agent set \i, if P is a /^-realizable property then TZ^iP) 
constrains at most /i. 

Proof of Proposition 7 

1. For any property Q, if Q is a safety property then TZ^iQ) is a safety property. 
Proof: By Proposition 5, TZ^iQ) = TZ^iQ) fl Q. The conjunction of safety 
properties is a safety property (since safety properties are closed sets), so TZ^iQ) 
is a safety property. 

2. TZ^TZjP)) =TZjP) 



2.1 



K,(K,(P))CK,(P) 
Proof: By definition ofTZ^. 



2.2. 



1Z,(P)Q1Z,(1Z,(P)) 

2.2.1. IZ^IZ^P)) C IZ^IZ^P)) 

Proof: By monotonicity of 1Z t since Q C Q for any property Q. 

2.2.2. TZ^P) CTZ^TZ^P)) 

Proof: By 2.2.1 and Proposition 4. 

2.2.3. TZ^TZ^P)) is a closed set. 
Proof: By 1. 



2.2.4.| ^(P) cn^n^p)) 
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Proof: By 2.2.2 and 2.2.3, since TZ^iP) is by definition the smallest 
closed set containing TZ^iP). 
IZfilP) constrains at most //. 
Proof: By 2, Proposition 6, and the hypothesis that P is //-realizable, so TZ^iP) 
is nonempty. 
End Proof of Proposition 7 

Lemma 4 Let // be an agent set, and let E and M be properties such that: 

1. E = I n P, where 

(a) I is a state predicate. 

(b) P is a safety property that constrains at most 

2. M constrains at most //. 

For any behavior a and i > 0, if a £ TZ^E =>• M) and a\i (fi M, then i > 0 and 
<£ E. 

Proof of Lemma 4 

Proof: We assume a £ TZ^E =>• M) and a\i (fi M , and we prove that i > 0 and 
[t]i >0 

Proof: By the assumption c|i (fi M , the hypothesis that M constrains at most 
//, and the definition of constrains at most. 
2. For all j > 0, if a\j ^ M then £ E. 

Proof: We assume <r|j (fi M and <r|j G E, and obtain a contradiction. We will 
first construct a behavior r that equals a for its first j steps, after which it 
follows a strategy that puts it in E =>■ M , taking -i //-stuttering steps whenever 
the strategy is undefined. We will then construct <f> by changing those -i//- 
stuttering steps to //-stuttering steps. This <f> will not be in M because a 
violates M by its j th step, and it will be in E because it will not have any -i// 
steps that can violate E, so <f> (E =>• M). This will lead to a contradiction 
because r £ (E =>• M) and <^ ~ r. 
2.1. Choose a behavior r such that: 

(a) r|j = cr|j 

(b) t£(E^M) 

(c) a fc+ i(r) £ -i// implies s fc+ i(r) = s fc (r), for all k > j. 

2.1.1. Choose a //-strategy / such that a £ C (E => M). 

Proof: f exists by the assumption a £ TZ^E =>• M) and the defini- 
tion of TZfi . 

2.1.2. Choose 0-,^ £ ->// and define r by t\j = <r|j and, for all k > j: 

if 7^ -L then (afc+i(r), s fc+ i(r)) = /(r| fc ) 

else (a fc+ i(r), s k+1 (r)) = (/J-,^ , s fc (r)) 
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Proof: (3^^ exists by the assumption that /j, is an agent set, which 
implies that -ijj, is nonempty. 



2.1.3. 



T \j = a\j 

Proof: By 2.1.2 (the definition of r). 
2.1.4. r eo^f) 

Proof: To show that r is a //-outcome of /, we must show that r\ k 
ends according to / for all k > 0. For k < j, this follows from 2.1.1 
and 2.1.3. For k > j, it follows from 2.1.2. The outcome r is fair 
because 2.1.2 implies that, for all k > j, the strategy / is undefined 
on r\ k iff a fc+ i(r) G -.//. 



2.1.5.| r £ (£ => M) 

Proof: From 2.1.1 (the choice of /) and 2.1.4. 



2.2.2. 



2.1.6. afc+i(r) 6 implies s k+ i(r) = Sfc(r), for all k > j. 

Proof: By 2.1.2 (the definition of r) and 2.1.1, which asserts that / 
is a //-strategy. 

2.2. Choose a behavior <f> such that: 

(a) <j)\j = a\j 

(b) </> ~ r 

(c) a A+ i(0) £ for all k > j. 

2.2.1. Choose (3^ G // and define <^ by <^|j = r|j and, for all > j: 

s k +i(<j>) = Sfc(r) 

if s k+ i(r) ^ s k (r) then a fc+ i((^) = a fc+ i(r) 
else = ftp 

Proof: /3ft exists by the assumption that /j, is an agent set and there- 
fore nonempty. 

<t>\j = T \i 

Proof: By 2.2.1 and 2.1(a). 

<j) ~ r 

Proof: By 2.2.1, since <f> is obtained from r by changing only agents 
on stuttering steps. 
a k+ i((f)) G /«, for all > j. 
Proof: By 2.2.1 (the definition of <f>) and 2.1(c). 

2.3. </>£E 
2.3.1. 

Proof: By 2.2(a) and the assumption a\j G -E". 

2.3.2. </> G / 

Proof: By 2.3.1 and the hypotheses that 7 is a state predicate and 

e = in P. 

2.3.3. <f> E P 

Proof: By 2.3.1, 2.2(c), and the hypotheses that P constrains at 
most -i/j, and E = I n P. 

<i>£E 

Proof: By 2.3.2 and 2.3.3, since E = I fl P by hypothesis. 



2.2.3. 



2.2.4. 



2.3.4. 
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2.4. <f> M 

2.4.1. $\j £ M 

Proof: 2.2(a) and the assumption a\j M . 

2.4.2. <f> £ M _ 
Proof: By 2.4.1, since M is a safety property. 



2.4.3.| 0 £ M 

Proof: By 2.4.2, since M C M. 

2.5. <f> £(E M) 
Proof: By 2.3 and 2.4. 

2.6. r £ (£ => M) 

Proof: By 2.2(b), 2.5, and the hypothesis that E and M are properties. 
Contradiction. 
Proof: By 2.6 and 2.1(b). 



2.7 



3j<r|i_ig£ _ 

Proof: Let j be the smallest natural number such that a\j (fi M . The hypothesis 

a\i M implies j < i. We now consider two cases. 

Case 3A . j < i 

3A.1. M, for all k > j. 

Proof: a\k ^ M by definition of j, and M is a safety property. 
3A.2. (TlTTi £ M 

Proof: By 3A.1 and the assumption j < i. 



3A.3.| cr| 8 _i £ £ 

Proo/: By 3 A. 2 and 2. 
Case 3B . j = i 
3B.1. (TlTTi £ M 

Proof: By definition of j and the assumption j = i, since i > 0 by 1. 
3B.2. 8Li(a) £ 

Proof: By 3B.1, the assumption c|; ^ M, and the hypothesis that M 
constrains at most pt. 
3B.3. a\i£E 

Proof: By 2 and the assumption a\i M . 



3B.4.| (t| 8 _i £ £■ 

Proof: By 3B.2, 3B.3, and the hypothesis that E constrains at most 
End Proof of Lemma 4 

Proposition 8 ie< be an agent set, I a state predicate, P a safety property that 
constrains at most and Q a safety property that constrains at most pt. Then 
Tl^I C\P=>Q) equals I n P -t>Q. 

Pro of of Proposition 8 

[7] tz^i n p => Q) c (i n p -> Q) 
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Proof: We assume that there exists a behavior a such that a £ 71^(1 HP =>■ Q) 
and <r ^ (7 fl P -t> Q), and we obtain a contradiction. 

1.1. Let i be the smallest integer such that a\i (7 fl P -t> Q). 
Proof: i exists by the hypothesis a (fi (7 fl P -t> Q) and the definition of 

/np -t>Q. 

1.2. Z\i£Q 
Proof: By 1.1. 

1.3. <t1Ti e p 

Proof: By 1.1, which implies c|i G P, since P is a safety property and 
(o-\i)\i-i equals cr| 8 _i. 

1.4. Contradiction. 
Proof: By 1.2, 1.3, the hypothesis a £ 71^(1 C\ P =>■ Q), and Lemma 4 
(substituting Q for M). 

(/nP->Q) c^(/nP=>Q) 

2.1. (/np^0)c(/np^g) 

Proof: By definition of (7 fl P -t> Q) 

2.2. 7^(7 n P -> 0) C 7^(7 n P => 0) 
Proof: By 2.1 and Proposition 3. 

2.3. 7 fl P -t> Q constrains at most p. 
Proof: I fl P -t> Q is a safety property and Q C (7 fl P -t> Q) by definition 
of 7 fl P -t> Q. Since Q constrains at most p by hypothesis, any safety 
property containing Q also constrains at most p. 

2.4. 7 fl P -t> Q is nonempty. 
Proof: Q is nonempty by the hypothesis that it constrains at most p, and 
Q is a subset of 7 fl P -t> Q. 

2.5. 7^(7 nP-t>Q) = 7nP-t>Q 
Proof: By 2.3, 2.4, and Proposition 6. 

2~1T1 (7 n p -t> 0) c 7^(7 n p => Q) 

Proo/: By 2.2 and 2.5. 
End Proof of Proposition 8 



Proposition 9 For any agent set p, safety property M , and arbitrary property L, 
the following three conditions are equivalent: 

(a) For every finite behavior p such that p£ M, there exist a p-strategy f with 
@n(f) CMflt and a behavior a £ O^f) with p a prefix of a. 

(b) For every finite behavior p such that p£ M, there exist a p-strategy f with 
@n(f) C MflJj and a behavior a £ O^lf) with p stuttering- equivalent to a 
prefix of a. 

(c) The pair (M, M fl L) is machine-closed, and M fl L is p-receptive. 
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Proof of Proposition 9 

It is obvious that (a) implies (b). We prove that (b) implies (c), and that (c) implies 
(a). We first assume that (b) holds and prove (c). 
1. M C 1Z^(M n L) 



Proof: We assume a G M and prove that a G TZ^M fl L). By definition of the 
topology, it suffices to assume that i > 0 and prove that there exists a behavior 
t G IZfilM fl X) such that c|; ~ r|j, for some j. 

1.1. a\i E M 

Proof: Since M is closed by hypothesis, and the definition of the topology. 

1.2. Choose a //-strategy / with O ^(f) C Mfll and a behavior r G O^f) such 
that c|; ~ r|j for some j. 

Proof: By (b) and 1.1, substituting a\i for p and r for a in (b). 



1.3. r G IZfilM fl X) and c|; ~ r|j, for some j. 

Proof: By 1.2, since O^f) C M 0 L implies £>,,(/) C TZ^M n L) by 

definition of TZ^ . 
The pair (M, M C\ L) is machine-closed. 



Proof: We must prove that M = M C\ L . 



2.1. 



M C\L<Z M 



2.1.1. MHLCM 

Proof: By monotonicity of closure. 

2.1.2. M = M 
Proof: By hypothesis, M is a safety property. 



2.1.3. 



inLCM 

Proo/: By 2.1.1 and 2.1.2. 



2.2. ^(MflL) CMHL 

Proof: Since TZ^iU) C ?7 for any property [/", and closure is monotone. 



2.3.|M <ZMC\L 

Proof: By 1 and 2.2. 
M fl £ is //-receptive. 

Proof: By definition, we must prove that M fl X = TZ^M fl I/). 

3.1. Mfli C TZ^MnL) 
Proof: By 1. 

3.2. K^MnI)nMni = Mni 

Proo/: By 3.1. 

3.3. 7^(M fll) = TZ^M C\L)C\MC\L 
Proof: By Proposition 5. 
M C)L = 1Z^(M C)L) 

Proof: By 3.2 and 3.3. 
We now assume that (c) holds and prove (a). Let p be a finite behavior with p G M . 
We must find a //-strategy / with O^if) CMHL and a behavior a G O^lf) with 
p a prefix of a. 

| l.| Choose a E M C\ L such that p is a prefix of a. 



3.4. 



66 



Proof: a exists by the machine-closure hypothesis (M = M fl L). 
aEK^MnL) 

Proof: By 1 and the hypothesis that M fl L is receptive. 
There exists a //-strategy / such that a £ O^lf) and O^lf) C M C\ L. 
Proof: By 2 and the definition of Tl^M n L). 
End Proof of Proposition 9 



Proposition 10 Let p be an agent set, let x be the projection function from S x X 
to X, and let 7 X an S x ^-predicate, Af a next-state relation on S x X, awrf 7/ 
aw S x ^-property. Let M equal (3) and let P equal (2). Assume that: 

(a) For all s £ S <Aere exists x £ X smc/j <Aa< (s, a;) £ 7 X . 

The pair (TAfiiAf), TA fi (Af)r\(L x r\TA^ fi (Ux) =>■£)) is /^-machine-realizable. 

(c) M is a safety property. 

Then (M, P) is ^-machine-realizable. 



Proof of Proposition 10 

By part (b) of Proposition 9, it suffices to assume that p is a finite behavior prefix 
such that p £ 3x : 7 X H X4-, |[1 (t/x) H TA^Af) and to construct a //-strategy / 
such that Ofilf) is a subset of 3x : 7 X H X4-, |[1 (t/x) H TAfi(Af) H L, and a behavior 
c £ Ofilf) such that /> ~ <r|j for some j. To construct / and a, we will first choose 
a strategy g whose outcomes all lie in TA^Af) H (7 X H TA-,fi(lt-x) =>■ £) and a 
behavior <^ produced by g whose projection (by IIg) has p as a prefix. We will then 
define an "inverse projection" 'f from S-behaviors to S x X-behaviors whose image 
contains <f>, and will define / to be g composed with 'f and a to be the projection 
of 0. 

1. Choose <f> £ 7 X n TA^^Ux) n T^W) such that tt s (<j>) ~ p. 

Proof: The existence of <^ follows from the hypothesis that /> £ 3x : 7 X fl 
TA^fi(Ux) HTAfiiAf) and the definition of existential quantification. 

2. Choose j such that II,s(<^|j) ~ p. 

Proof: j exists by 1, which asserts that ILs(<f>) — p. 

3. Choose a //-strategy g such that O ^(g) C TA^iAf) H (7 X nTi-,^^) =>■ L) and 

is a partial //-outcome of g. 
Proof: By hypothesis (b), the definition of machine-realizability, and part (a) of 
Proposition 9 (with <f>\j substituted for p). 

4. Choose a behavior r £ O ^(g) such that t\j = <f>\j and r £ 7 X fl T^4-, |[1 (t/ x ) fl 
TA,(M)C\L. 

Define r inductively as follows, where 0-,^ is any element of ->//. 
if i < j then a;(r) = a;(<^) and s;(r) = s;(<^) 

if i > j then if #(t| 8 _i) = _L 

then (a;(r), s;(r)) = (/?_,,, , s 8 _i(r)) 
else (a 8 -(r), s;(r)) = ff(r| 8 _i) 



4.1 
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4.2. 



Then t\j = <f>\j and r £ O^g). 

Proof: By construction, r|j = <^|j. Since <f>\j is a partial //-outcome of g (by 
3), the definition of r implies that r is a //-outcome. It is a fair //-outcome 
because, for all i > j, a;(r) 6 —^i iff <7(r|;_i) = _L. 

t e 7 X n TA^^Uy) n r^W) n l 

Proo/: By 4.1 and 3, r £ C T^(W) n (7 X n TA^(U X ) => L). It 

therefore suffices to prove that r £ 7 X H T^4-, |[1 (t/x), which means proving 
that (i) s 0 (r) £ 7 X and (ii) a 8 (r) £ implies II x (s 8 _i(r)) = II x (s;(t)). 
But (i) holds because so(t) = so(</>) and so(</>) £ 7 X by 1. Condition 
(ii) follows for i < j by 1, since t\j = </>|j by 4.1. For i > j, (ii) follows 
immediately from the definition of r. 

Choose a monotone mapping \? from behavior prefixes with state space S to 

behavior prefixes with state space S x X such that 

(a) For any finite behavior prefix rj 

(i) n s (*(r ? ))=r y 

(ii) s 0 (*(»?)) £ 7 X 

(iii) For all i > 0, if a i (*(r ? )) £ then (s 8 _ i (*(??)), s; (*(??))) £ W x . 

(iv) For any agent a and state s in S, if IIg((jr(^I , (ry))) = (a,s), then 
*(ry • (a,s)) = *(;?) • </(*(;?)). 

(b) = lim m _ 00 *(£| m ) for any behavior £. 

(c) *(n s (r|i)) = r|i,foralli>0. 

Proof: We define ^(ry) for any finite behavior prefix rj by induction on \rj\ as 
follows. 

if = 0 

then if s 0 (r)) = n s (s 0 (r)) 

then s 0 (*(»?)) = s 0 (r) 

else so(\?(»7)) = (so(ry), x) for any a; with (so(ry), x) £ 7 X . 

if rj = 0 • (a, s) 
then if a £ —^i 

then *(ry) = *((?) • (a, (s, n x (*(0) s ))) 
else if (a,s) = n s (</(*((9))) 

then *(ry) = tf(0) • g(^(0j) 

else ^(ry) = (#) • (a, (s, a;)) for any x in X. 

Note that in the case |ry| = 0, the x chosen in the else clause exists by hypothesis 
(a) of the Proposition. We take (b) as the definition of 'f for behaviors. The 
monotonicity of 'f is immediate from the definition, so the limit in (b) exists. 
Property (a) (ii) follows from the case |ry| = 0 in the definition of ^(rj). Properties 
(a)(i), (a) (iii), and (a)(iv) follow from the definition of 'f by induction on \rj\. 
The proof of (c) is by induction on i. For i = 0, it follows immediately from the 
definition of 'f. For the induction step, we assume r|; = r|;_i • (a,(s,x)) and 
x I , (IIg(r|j'_i)) = t| 8 _i and prove \?(IIg(T|;)) = r|;. If a £ ji, then this follows 
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from the definition of 'f because r £ O ^(g) (by 4). If a //, then it follows from 
the definition of 'f because r £ TA^fiiUx) (also by 4). 

For any finite behavior prefix rj with states in S, define f(rj) to equal Ilg (fi f (^ r (??))) , 
where IIg is extended to a mapping from A x (S x X) to A x S in the obvious 
way. Then / is a //-strategy, and £ £ O^f) implies X P(^) £ O^g). 
6.1. r) a = x P(?y)a, for any finite behavior prefix rj. 
Proof: By 5(a)(i) and the definition of IIg. 



6.2. / is a //-strategy. 

Proof: By 6.1, since g is a //-strategy (by 3). 

6.3. For any finite behavior prefix rj, if rj ends according to //, / then ^(rj) ends 
according to //,</. 

Proof: If ry a £ "'A 4 , then this follows from 6.1. If r) a £ //, then it follows 
from 5(a)(iv). 



MJ If ^O M (/) then *(0 6O,(j). 

Proof: Assume that £ £ O^f). Since £ is a //-outcome of /, 6.3 implies 
that X P(^) is a //-outcome of g. Since f(rj) = _L iff g(^(r))) = _L, 6.1 and the 
fairness of £ implies that X P(^) is also fair. 

if C e O^f) then £ 7 X n TA^(U X ) n r^(W) n L. 

Proo/: By 3 and 6, tf (£) £ TA^tf) n (J x n T.4^(« x ) => £)• By 5(a)(ii) and 

5(a)(iii),*(0e/ x nZ4^(Wx). 

O^f) C 3x : 7 X n TA^(Ux) n T^(W) n L 

Proof: By definition of existential quantification, it suffices to prove that for 
every behavior £ £ O^f) there exists a behavior £' £ 7 x nT^4-, |[1 (t/x)nT^4 |[1 (jV')n 
L such that n s (£') = £. By 5(a)(i) and 7, we can let £' equal *(£). 
Let it = Ilg(r). Then c £ O^f) and /> ~ <r|j. 

9.1. /(<t|,-) = n s (</(r|,-)), for all i > 0. 

Proof: By 5(c) and 6 (the definition of /). 

9.2. For all i > 0, if a;+i((7) £ // then c|;+i = c|; • f(a\i). 

Proof: By 4, r £ O^g). Therefore, 5(a)(i) implies that if a;+i((7) £ // then 
t| 8 '_|_i = r\i ■ g(r\i). Hence, ng(r|;+i), which by definition equals c|;+i, is 
equal to IIg(r|i • g(r\i)). The desired result now follows from 9.1. 



9.3.| <r £ 

Proof: By 9.2, a is a //-outcome of /. Since 4 asserts that r is a fair //- 
outcome of g, fairness of a follows from 5(a)(i), 5(c), and 6, which imply 
that a 8 ((T) £ // iff a;(r) £ // and that f(cr\i) is defined iff g{r\i) is. 
9A]p ~ cr|j 

Proof: By 2, 4 (which asserts r|j = </>|j), and the definition of a. 
End Proof of Proposition 10 

Theorem 1 If I is a state predicate, (Es,EsC\El) is ->p- ma chine- realizable, Ms 
is a safety property, and Ml is any property, then 

IC\E S C\E L => Ms fl Ml 



69 



and 



are ji-equirealizable. 



IDEs => M S C\{E L ^ M L ) 



Proof of Theorem 1 

We assume that 7 is a state predicate, (Es, Es H E£) is -i^-machine-realizable, Ms 
is a safety property, and Ml is any property, and we prove 

7^(7 C\E S C\E L ^ M s n M L ) = Tl^I n E s => M s n (E L => M L j) 



\\]n^ir\E s ^ m s c\ {E L ^m l ))c (inE s n e l 

Proof: By Proposition 3, since (iHEs =>■ Ms C\(El - 
Ms fl Mi) by propositional reasoning. 
7^(7 OEsOEl^ M s n M L ) C 7^(7 n £ s => M s 0 (E L 



> M s n M L ) 

m l )) c(inE s r\E L 



Ml)) 



Proof: Let / be a //-strategy such that O fi (f) C (lr\E s r\E L => M s nM L ); we 
must prove that O fi (f) C(IC\E S ^ M S C\{E L => M L )). We assume a £ £>,,(/) 
and prove that a £ (I fl Es Ms fl Ml)). We do this by assuming 

d^(JnEs=> Ms fl (£l Mi)) and obtaining a contradiction. 

The proof rests on the observation that the hypotheses imply a 6 7 fl £"5, 
it ^ Ms, and c ^ El- Since Ms is a safety property, a must violate it at some 
finite point, while it is still possible for the environment to satisfy El- The 
contradiction is obtained by playing the strategy /, from the point at which a 
violates Ms, against an environment strategy h (constructed in step 2.4) that 
achieves Es C\El (producing the behavior <f> of step 2.5). For technical reasons, 
we replace a and / in this argument with a behavior r ~ a and a total strategy 
g, obtained from Lemma 3. 

2.1. Choose a total //-strategy g and a behavior r such that r ~ a, r £ O^g), 
and every behavior in O ^(g) is stuttering-equivalent to a behavior in O fi (f). 
Proof: g and r exist by Lemma 3. 

2.2. t £ 7 n E s , t £ M s , and r £ E L . 

2.2.1. T^(mE s ^Msn(E L ^ M L )) 

Proof: t ~ a by 2.1 (the definition of r), <r £ (IPiEs => M s n(E L => 
Ml)) by hypothesis, and properties are by definition closed under 
stuttering-equivalence. 

2.2.2. T£(inE s nE L ^ M s n m l ) 

Proof: t ~ a by 2.1, u £ (I C\ E s C\ E L => M s H M L ) since <r £ 
C (7 n £"s l~l £"l ^ Ms n M L ) by hypothesis, and properties 
are closed under stuttering-equivalence. 
t £ 7 n Tis, r £ Ms, and r £ E L . 

Proof: From 2.2.1 and 2.2.2, by propositional reasoning. 
Choose i > 0 such that t|; ^ Ms. 

Proof: Such an i exists because Ms is a safety property by hypothesis and 
t £ M s by 2.2. 



2.2.3. 



2.3. 
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2.5.1. 



2.5.2. 



2.5.3. 



2.4. Choose a -i//-strategy h and a behavior ip £ O-^/i) such that = r|; 
and 0^(h) CE S C\E L . 

Proof: The existence of h and t/> follows from 2.2, the hypothesis that 
(Es, Es fl -E"l) is -i//-machine-realizable, and Proposition 9. 

2.5. Choose a behavior <f> such that 

(a) <f>\i = r\i 

(b) t e 0,(g) 

(c) $ £ O^(A) 

Proof: Define <f> by <^|; = t/>| 8 ' and, for all j > i, 
if j is odd or h(<f>\j) is undefined 
then (aj+i(0), Sj+i(0)) = g{<j>\j) 
else (aj+i(0), Sj+i(0)) = h{<f>\j) 
<f> is a behavior 
Proof: g is total by 2.1. 

Proof: By 2.4 and the definition of <f>. 
<f> is a //-outcome of (jr. 

Proof: We must prove that if aj+i(<^) G // then </(</>|j) = 
(aj + i((/)), s j _|_ i ( <^> ) ) . For j < i, this holds because <f>\i = r|; by 2.5.2, 
and r £ O ^{g) by 2.1. For j > i, it holds by the definition of <f> and 
2.4, which asserts that h is a -i //-strategy. 

Proof: <f> is an outcome by 2.5.3. It is fair because, by definition, 
<f> has infinitely many steps of the form g(<f>\j), which are // steps 
because g is a //-strategy (by 2.1). 
<f> is a -i/j-outcome of /i. 

Proof: We must prove that if aj+i(<^) £ -i// then /i(</>|j) = 
(aj_|_i((/>), s j _|_ i ( <^> ) ) . For j < i, this holds because <f>\i = t/>| 8 ' by defi- 
nition of <f>, and t/> £ O-^/i) by 2.4. For j > i, it holds by definition 
of <f> and 2.1, which asserts that g is a //-strategy. 

Proof: <f> is an outcome by 2.5.5. It is fair because, by definition 
of <f>, either h(<f>\j) is undefined infinitely often or else an infinite 
number of steps of <f> are of the form h(<f>\j), which are ->// steps 
because 2.4 asserts that h is a -i //-strategy. 
$ M s _ _ _ 
Proof: <f>\i = r\i by 2.5(a), r|; (fi Ms by 2.3, and Ms is a safety property 
by hypothesis. 

2.7. <f> £ (I n £ s n e l => m s n m l ) 

Proof: 2.5(b) asserts that <f> £ O^g), so 2.1 implies that <^ is stuttering- 
equivalent to an element of O^f). Hence <f> £ (7 n E s 0 £"l =>■ M s 0 M L ) 
because O^f) C (Jfl fl =>■ Ms fl M^) by hypothesis, and properties 
are closed under stuttering-equivalence. 



2.5.4. 



2.5.5. 



2.5.6. 



2.6. <?i 
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2.8. <f> e i n e s n e l 

Proof: <f> is in 7 because r £ 7 by 2.2, so(</>) = so(t) by 2.5(a), and 7 is 
a state predicate by hypothesis. It is in Es H El because <f> £ by 
2.5(c), and £>^(/i) C 7J S n 7J L by 2.4. 

2.9. Contradiction. 

Proof: 2.7 and 2.8 imply <^ £ Ms n Ml, which contradicts 2.6. 
End Proof of Theorem 1 



Corollary 7e< be any agent set, let x be the projection function from SxXio 
X, let I be an S-predicate, let (Es, Es H El) be a ->p- ma chine- realizable pair of 
S-properties, and let Ms and Ml be S x ^-properties such that 3x : Ms is a safety 
property. Then 

IC\E S C\E L => 3x : M s n M L 

and 

lr\E s => 3x : M s n (E L => M L ) 

are pt-cquircalizablc. 
Proof of Corollary 

Substituting 3x : Ms for Ms and 3x : Ms H Ml for Ml in Theorem 1 shows that 

IDEsDEl => 3x : M s n Ml 

and 

IDEs ^ ((3x : M s ) n 3x : (7J L =>• M s n Ml)) 

are //-equirealizable. Since El does not depend on the x component, it follows 
from the definition of existential quantification and simple logical deduction that 
(3x : M s ) n 3x : (E L => M S C\ M L ) equals 3x : M s n (E L => M L ). 
End Proof of Corollary 

Proposition 11 For any disjoint pair of agent sets \i\ and ^2, and any properties 
Pi and P2, the property TZ fil (Pi) H7?. |[l2 (7 J 2) is \i\ U pt2-rcccptivc. 

Proof of Proposition 11 

By definition of receptiveness, it suffices to assume a £ O^^fi) C IZ^^Pi) for 
i = 1, 2, where the /; are //j-strategies, and to construct a/iiU //2-strategy g such 
that it £ O filUf i 2 (g) C O fil (fi) fl O^(f'i)- We will define g to be the strategy that 
begins by trying to generate c, and when that is no longer possible, performs either 
an fi or an /*2 step, alternating between the two when it can do either. 
1. For any finite behavior prefix p, define g(p) as follows (where max0 equals — 00). 
if p = a\j , for some j > 0 
then if aj+i((r) £ /^i U P2 

then fif(p) = (a i+ i(cr),s i+ i(cr)) 

else g(p) = L 
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else if (f 2 (p) = _L) V ((/i(p) ± L) A (0 < n) A (a n (p) £ // 2 )), 
where n = max{fc < \p\ : a-k(p) *E Pi U p 2 } 
then g(p) = f x (p) 
else 5f(p) = f 2 (p) 
Then g is a p\ U //2-strategy. 

Proof: (jr is a //i U //2-strategy because each / 8 - is a /^-strategy. 

Proof: It is immediate from 1 (the definition of g) that a is a p\ U //2-outcome 
of (jr. 

^u ft (9)c0 w (/i)n^(/ 2 ) 

Proof: We assume r £ O filUf i 2 (g) and i G {1, 2}, and we prove that r £ O^^fi). 
Since a £ O fil (fi) fl O fi2 (f 2 ) by hypothesis, we may assume that r/ff. 
3.1. r is a /^-outcome of 

Proof: It suffices to assume that aj_|_i(r) £ //j- and prove that /i(T|j) = 

(aj_|_i(r), Sj_|_i(r)). There are two cases. 

Case 3.1A . t\j = a\j 

In this case, the desired result follows from the hypothesis that a £ O^^fi). 
Case 3. IB . t\j 7^ <r|j 

Since r is a ^1 U //2-outcome of g by hypothesis, and aj+i(r) £ implies 
aj_|_i(r) £ //i U //2, it suffices to prove that if g(T\j) = (a,s) with a £ 
then /i(T|j) = g(r\j). The desired equality follows from 1, the assumption 
that r|j 7^ and the hypothesis that p\ and p 2 are disjoint. 

Proof: 3.1 asserts that r is a /^-outcome of so we need only prove that 
it is a fair outcome. We assume that r has only finitely many pi steps and 
prove that fi{r\j) is undefined for infinitely many values of j > 0. 
Case 3.2A . aj(r) £ p\ U p 2 for only finitely many j > 0. 
In this case, the hypothesis r £ O filUf i 2 (g) implies that g(T\j) is undefined 
for infinitely many j. By 1, if p is not a prefix of a, then (/(p) is undefined 
iff both fi{p) and f 2 (p) are undefined. Hence, <7(t|j) undefined for infinitely 
many j and the assumption t ^ a imply that fi(r\j) must be undefined for 
infinitely many values of j. 

Case 3.2B . aj(r) £ p\ U p 2 for infinitely many j > 0. 
3.2B.1. Choose / > 0 such that for all j > I, 

(a) If aj(r) <E piU p 2 then (i) aj(r) ^ and (ii) n > 0 implies 
a n (r) ^ //j-, where n = maxjfc < j — 1 : a^(r) £ /«i U ^2}- 

( b ) T \i-i + cr|j-i 
Proof : We can choose / satisfying (a) by the assumptions that r has 
only finitely many pi steps and that aj(r) <E pi U p 2 for infinitely 
many j > 0. Since t ^ u, we can choose / large enough so that (b) 
also holds. 

3.2B.2. For all j > I, if a,-(r) ^2, then /i(r|j_i) = _L. 



3.2. 
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3.2B.3. 



Proof: Assume j > / and aj(r) G pi U p 2 . Since r G O filUf i 2 (g), we 
have <jr(r|j_i) = (aj(r), Sj(r)). Since aj(r) ^ by 3.2B.l(a), and 
/i is a /^-strategy, we infer g(r\j-i) ^ / 8 (r|j_i). In the definition of 
g(p) in 1, if p is not a prefix of a and n < 0 implies & n (p) pi, then 
7^ implies fi(p) = _L. Hence, 3.2B.1 implies /,(r|j_i) = 

_L. 

/ 8 (r|j) is undefined for infinitely many j > /. 
Proof: By 3.2B.2, /i(T|j) is undefined for all j > / with aj(r) G 
piU p 2 , and by hypothesis, there are infinitely many such j. 
End Proof of Proposition 11 

Proposition 12 If pi, P'i, and pi U are agent sets and E, Ei, and are 
properties such that: 

1. E = I n P where 

(a) I is a state predicate. 

(h) P is a safety property that constrains at most ->(pi U p^)- 

2. Ei is a safety property. 

3. p 1 np 2 = $ 

4. M2 is a p2-ahstract property. 
Then the rule of inference 

E n M 2 C Ei 

e n W 2 c Ei 



Proof of Proposition 12 

Proof : We assume E fl M 2 C E\ and prove E fl M2 C We do this by assuming 
the existence of a behavior a in EC\M 2 but not in E\ , and obtaining a contradiction. 
We will obtain the contradiction by constructing a behavior in E fl M 2 that is not 
in Ei. We will first construct a behavior <f> in M 2 by continuing a from the point 
at which it violates the safety property E\. We will then modify <f> by replacing 
agents in ->(pi U p 2 ) with agents in pi to obtain a behavior r that will still be in 
M 2 (because M 2 is //2-abstract), in £" (because only ~<{pi U ^2) steps can violate 
E), but not in E\. 

1. Choose i > 0 such that cr|i G E l~l M 2 and cr|i ^ 

Proof: Since £1 is a safety property and a £ E\, there exists an i such that 
c|i ^ Ei. Since E and M2 are safety properties, EC\M 2 is also a safety property. 

Hence, the assumption tr££n M 2 implies a\i G E fl M2. 

2. Choose a behavior in M 2 such that c|i = <f>\i. 

Proof: <f> exists by 1, which asserts a G M 2 , and the definition of closure. 

3. Choose [3 G pi and let r be the behavior such that, for all k > 0: 
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Sfc(r) = s k (<f>) 

if (k + 1 < i) V (a k+ i((j>) £ U ^2)) then a fc+ i(r) = a fc+ i((^) 

else a fc+ i(r) = /? 

Then r is //2-equivalent to 

Proof: t is the same as <f> except that some agents not in \i\ U ^2 have been 
replaced by [3, an agent in pt\. Since \i\ and ^2 are disjoint by hypothesis 3, r is 
//2-equivalent to <f>. 

4. r|i = a\i 

Proof: By 2 and 3, which implies <f>\i = r|;. 

5. re£ni 2 

5.1. re/ _ 

Proof: 1 and 4 imply r|; £ 7, since E C 7; and 7 is a state predicate by 
hypothesis 1(a). 

5.2. r£P 

5.2.1. afc(r) 6 (/^i U ^2), for all k > i. 
Proof: By 3. 

5.2.2. rj^ £ T 3 
Proof: By 1 and 4, since E C P. 
t£P 

Proof: By 5.2.1, 5.2.2, and hypothesis 1(b), which asserts that P 
constrains at most -'(jj-i U ^2)- 

5.3. t £ M 2 

Proof: <f> G M2 by 2, r is //2-equivalent to <^ by 3, and M2 is //2-abstract by 
hypothesis 4. 



5.2.3. 



5.4. 



t e # n m 2 

Proof: By 5.1, 5.2, and 5.3, since 7? equals I HP. 
6. t (fi E\ 

Proof: 1 and 4 imply r|; ^ 7?i, and 7?i is a safety property by hypothesis 2. 
I 7.| Contradiction. 

Proof: 5, 6, and the hypothesis E fl M2 C 7?i. 
End Proof of Proposition 12 

Theorem 2 If H2, an d A*i U //2 are agent sets and E, E\, E2, Mi, and M2 are 
properties such that: 

1. E = I n P, Ei = 7i n Pi, and E 2 = 7 2 H P 2 , wAere 

('aj I, Ii, and I2 are state predicates. 

(b) P , Pi, and P2 are safety properties that constrain at most 
-■(//I U H2), ~~ '/^i , and —^12, respectively. 

2. Mi and M2 constrain at most \i\ and H2, respectively. 

3. /ii 0/12 = 0 
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Then the rule of inference 



Er\M 1 r\M 2 c E 1 nE 2 

T^fn(Ei Mi) nK,, 2 (£ 2 M 2 ) C ^ lUpa (£=>MinM 2 ) 

«s sound. 



1.1.4. 



Proof of Theorem 2 

Proof: We assume the hypotheses of the theorem, and we prove the soundness of 
the inference rule by assuming its hypothesis and deducing its conclusion. 
1. TZ^(E 1 =>Mi)n^ a (^ 2 ^M 2 ) C (^M^Mi). 

Proo/: We assume <r £ K^Ex => Mi) C\TZ^{E 2 => M 2 ) and a £ (E => 

Mi fl M2), and we obtain a contradiction. 

1.1. a £ Ei n E 2 

1.1.1. Choose j £ {1,2} such that a £ Mj. 

Proof: The assumption a (fi (E =>• Mi fl M2) implies c ^ Mi or 
(7 £ M 2 . 

1.1.2. rr £ Mj) 

Proo/: By the assumption a G H^^Ei => Mi) r\U fi2 (E 2 => M 2 ) and 
the definition of TZ^ . 

1.1.3. cr £ 
Proof: By 1.1.1 and 1.1.2. 
a £ EiC\E 2 
Proof: By 1.1.3. 

1.2. Let i be the smallest natural number such that a\i (fi E\ fl £'2. 
Proof: Such an i exists by 1.1, because hypothesis 1 implies that E\ fl E 2 
is a safety property. 

1.3. £ E C\M~i C\W 2 
Proof: By 1.2 and the assumption that the hypothesis of the inference rule 
holds. 

1.4. Z\i£E 

Proof: The assumption a (fi (E =>• Mi fl M2) implies c G -E", and £" is a 
safety property. 

1.5. <rji ^ Mi fl M2 
Proo/: By 1.3 and 1.4. 

1.6. i > 0 and cr| 8 _i ^ Eif) E 2 . 
Proof: By 1.5, there exists j G {1,2} such that c|; ^ Mj . Hypotheses 1 
and 2 of the theorem, and the assumption a G IZ^^Ej =>• Mj) then allow 
us to apply Lemma 4, substituting /ij , Ij, Pj, and Mj for 7, P, and M, 

to conclude i > 0 and <t|;_i ^ £j. 

1.7. Contradiction. 
Proof: By 1.6 and the choice of i in 1.2. 

TZ^(Ei ^ Mi) mZ^ 2 (E 2 ^ M 2 ) C R^(£=>MinM 2 ) 
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Proof: By 1, Proposition 3, and Proposition 11, which we can apply by hypoth- 
esis 3. 

End Proof of Theorem 2 
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Glossary 

a.i(a): The i th agent of behavior a. 

f, g, h: Strategies, except in Section 5.2.2, where / is a refinement mapping. 
inp, mid, out: State components from the example in Figure 3. 
s 8 ((t): The i th state of behavior a. 
s, t: States. 

x, y: Internal state components. 
A: The set of all agents. 

E: An environment assumption (a property). 

Esi El: Safety and liveness parts of E (in Section 4.3). 

/: A state predicate. 

I x : An initial condition for an internal state component x. 

I: The identity next-state relation. 

L: A progress property. 

M: A system guarantee (a property). 

Ms, Ml: Safety and liveness parts of M (in Section 4.3). 

Af: A next-state relation. 

Nei Nm'- Next-state relations of an environment and a system. 

O^i f): The set of behaviors generated by //-strategy /. 

P, Q: Sets of behaviors — usually properties. 

IZ^P): The //-realizable part of P. 

S: A specification. 

S: The set of all states. 
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TA(Af): The property defined by the next-state relation Af of a complete 
program. 

TA^iAf): The property asserting that every //-step satisfies the next-state 
relation Af. 

h( x : The next-state relation asserting that state component x is unchanged. 

V(P, a): The step number of the first step at which behavior a violates 
property P. 

X, Y: Sets of internal states. 

a, (3: Agents. 

(3^: An agent in p. 

p: A set of agents, usually an agent set. 

r], 9, p: Behavior prefixes, usually finite. 

^, a, r, (f>: Behavior prefixes, usually infinite. 

ip: A behavior prefix (finite or infinite). 

A, S: Mappings on behavior prefixes. 

II: A system (not a formally defined concept). 

rig: The projection mapping onto the external states. 

Tlx The projection mapping onto the internal states. 

3x: Existential quantification over a state component x. 

s — —> t: A step performed by agent a. 

P: The closure of P (the smallest safety property containing P). 

P =^ Q: The property consisting of all behaviors that are in Q or not in P. 

P -t> Q: The property asserting that Q holds as long as P does. 

5*1^: The result of substituting x for y in the formula for S . 
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p • (a, s): The finite behavior prefix obtained by concatenating s to the 
end of p. 

p a : The last agent of p. 

p s : The last state of p. 

\p\: The length of p. 

p: The behavior obtained by extending the finite behavior prefix p with 
stuttering steps. 

a\ n : The finite behavior prefix consisting of the first n steps of a. 

\ il o\ The behavior prefix obtained by removing //-stuttering steps from a. 

~: Stuttering-equivalence. 

c^: //-stuttering-equivalence. 

{P}n{Q}: A Hoare triple. 

f(p) = ±: Asserts that p is not in the domain of /. 



83 



84 



References 



[AFK88] Krzysztof R. Apt, Nissim Francez, and Shmuel Katz. Apprais- 
ing fairness in languages for distributed programming. Dis- 
tributed Computing, 2:226-241, 1988. 

[AL91] Martin Abadi and Leslie Lamport. The existence of refinement 
mappings. Theoretical Computer Science, 82(2):253-284, May 
1991. 

[ALW89] Martin Abadi, Leslie Lamport, and Pierre Wolper. Realiz- 
able and unrealizable specifications of reactive systems. In 
G. Ausiello, M. Dezani-Ciancaglini, and S. Ronchi Delia Rocca, 
editors, Automata, Languages and Programming, volume 372 
of Lecture Notes in Computer Science, pages 1-17. Springer- 
Verlag, July 1989. 

[AS85] Bowen Alpern and Fred B. Schneider. Defining liveness. Infor- 
mation Processing Letters, 21(4):181-185, October 1985. 

[BDDW91] Manfred Broy, Frank Dederichs, Claus Dendorfer, and Rainer 
Weber. Characterizing the behaviour of reactive systems by 
trace sets. In Eike Best and Grzegorz Rozenberg, editors, 3rd 
Workshop on Concurrency and Compositionality, volume 191 
of GMD-Studien, pages 47-56, Saint Augustin, Germany, 1991. 
GMD. Extended abstract. 

[BKP86] Howard Barringer, Ruurd Kuiper, and Amir Pnueli. A really 
abstract concurrent model and its temporal logic. In Thirteenth 
Annual ACM Symposium on Principles of Programming Lan- 
guages, pages 173-183. ACM, January 1986. 

[Dav64] Morton Davis. Infinite games of perfect information. In 
M. Dresher, L. S. Shapley, and A. W. Tucker, editors, Advances 
in game theory, volume 52 of Annals of Mathematics Studies, 
pages 85-101. Princeton University Press, Princeton, New Jer- 
sey, 1964. 

[dBdRR90] J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, edi- 
tors. Stepwise Refinement of Distributed Systems: Models, For- 
malisms, Correctness, volume 430 of Lecture Notes in Computer 
Science, Berlin, 1990. Springer- Verlag. 



85 



[Dil88] David L. Dill. Trace Theory for Automatic Hierarchical Ver- 
ification of Speed-Independent Circuits. PhD thesis, Carnegie 
Mellon University, February 1988. 

[Hoa72] C. A. R. Hoare. Proof of correctness of data representations. 
Acta Informatica, 1:271-281, 1972. 

[Hoa85] C. A. R. Hoare. Communicating Sequential Processes. Series in 
Computer Science. Prentice-Hall International, London, 1985. 

[HP85] David Harel and Amir Pnueli. On the development of reactive 
systems. In K. R. Apt, editor, Logics and models of concur- 
rent systems, volume F13 of NATO ASI Series, pages 477-498. 
Springer- Verlag, 1985. 

[Lam83a] Leslie Lamport. Specifying concurrent program modules. 

ACM Transactions on Programming Languages and Systems, 
5(2):190-222, April 1983. 

[Lam83b] Leslie Lamport. What good is temporal logic? In R. E. A. Ma- 
son, editor, Information Processing 83: Proceedings of the IFIP 
9th World Congress, pages 657-668, Paris, September 1983. 
IFIP, North Holland. 

[Lam84] Leslie Lamport. Solved problems, unsolved problems and non- 
problems in concurrency. In Jayadev Misra, editor, Proceedings 
of the Third Annual ACM Symposium on Principles of Dis- 
tributed Computing, pages 1-11, New York, August 1984. ACM. 
Invited address presented at 1983 Symposium. 

[Lam89] Leslie Lamport. A simple approach to specifying concurrent 
systems. Communications of the ACM, 32(l):32-45, January 
1989. 

[Lam90] Leslie Lamport. A temporal logic of actions, research re- 
port 57, Digital Equipment Corporation, Systems Research 
Center, April 1990. A revised version to appear. 

[LS84a] Simon S. Lam and A. Udaya Shankar. Protocol verification 
via projections. IEEE Transactions on Software Engineering, 
SE-10(4):325-342, July 1984. 



86 



[LS84b] Leslie Lamport and Fred B. Schneider. The "Hoare logic" of 
CSP, and all that. ACM Transactions on Programming Lan- 
guages and Systems, 6(2):281-296, April 1984. 

[LT87] Nancy Lynch and Mark Tuttle. Hierarchical correctness proofs 
for distributed algorithms. In Proceedings of the Sixth Sympo- 
sium on the Principles of Distributed Computing, pages 137- 
151. ACM, August 1987. 

[MC81] Jayadev Misra and K. Mani Chandy. Proofs of networks of 
processes. IEEE Transactions on Software Engineering, SE- 
7(4):417-426, July 1981. 

[Mil80] R. Milner. A Calculus of Communicating Systems, volume 92 
of Lecture Notes in Computer Science. Springer- Verlag, Berlin, 
Heidelberg, New York, 1980. 

[MP87] Zohar Manna and Amir Pnueli. A hierarchy of temporal proper- 
ties. Technical Report STAN-CS-87-1186, Department of Com- 
puter Science, Stanford University, October 1987. 

[OG76] Susan Owicki and David Gries. Verifying properties of paral- 
lel programs: An axiomatic approach. Communications of the 
ACM, 19(5):279-284, May 1976. 

[OL82] Susan Owicki and Leslie Lamport. Proving liveness properties 
of concurrent programs. ACM Transactions on Programming 
Languages and Systems, 4(3):455-495, July 1982. 

[Pnu84] Amir Pnueli. In transition from global to modular temporal 
reasoning about programs. In Krzysztof R. Apt, editor, Logics 
and Models of Concurrent Systems, NATO ASI Series, pages 
123-144. Springer- Verlag, October 1984. 

[Sta84] Eugene W. Stark. Foundations of a theory of Specification for 
Distributed Systems. PhD thesis, M. I. T., August 1984. 

[Sta85] Eugene W. Stark. A proof technique for rely /guarantee proper- 
ties. In S. N. Maheshwari, editor, Foundations of Software Tech- 
nology and Theoretical Computer Science, volume 206 of Lec- 
ture Notes in Computer Science, pages 369-391, Berlin, 1985. 
Springer- Verlag. 



87 



88 



Index 



P, 13 
jS*|y} 32 ^ 33 
~, 12 
=V 12 

n s , 26 
n x ,26 

J_, 47 

• (concatenation), 48 

=>, 8, 12 

->, 13 

|/o|,48 

^(t, 12 

c|m, 11 

/Oa, 48 
Ps, 48 

(7, 12 

//-abstract, 13 
//-equirealizable, 16 
//-equivalent, 13 
//-machine-realizable, 25 
//-outcome, 16 
partial, 48 
//-realizable, 16 
//-realizable part, 16 
//-receptive, 16 
//-strategy, 16 
//-stuttering step, 12 
//-stuttering-equivalence, 12 

A, 10 

a 8 (», 11 

abstraction functions, 38 
actions 

atomic, 11 

joint, 7 



system versus environment, 7, 
14 

temporal logic of, 47 

versus agents, 11 

versus states, 6 
Ada, 6 
agent set, 10 

disjointness of, 42 

of a partial program, 24 
agents, 8, 10, 33 

system versus environment, 8 
Alpern, Bowen, 13 
Apt, Krzysztof R., 22 
assumption, environment, 1 
auxiliary variables, 38 

Barringer, Howard, 11 
behavior, 8, 11 
behavior prefix, 11 
Broy, Manfred, 18 

case, 48 
CCS, 6 

Chandy, K. Mani, 5 
circular reasoning, 2, 9, 39, 91 
closed set, 13 
closure, 13 

Composition Principle 

for safety properties, 5 
for sequential programs, 2 
informal statement, 2 
Pnueli's, 5 
Stark's, 5 
theorem, 41 

concatenation, 48 

conjunction, composition as, 9, 33, 
47 



89 



constrains at most, 15 
CSP, 5, 7, 23, 47 

Davis, Morton, 15 
dense set, 13 
Dill, David L., 16 

end according to, 48 
equirealizable, 15, 16 
existential quantification, 26 

and explicitness, 46 
explicitness, 46 

failure-set semantics, 47 
fair realizability, 17 
fairness, 22 

strong, 25 
feasibility, 22 
Francez, Nissim, 22 

game, realization, 15 
guarantee, system, 1 

hiding, 26 

history variables, 38 
Hoare logic, 2 
Hoare triple, 2 

I, 37 

I/O automata, 1 

identity relation, 37 

implements, 34 

transitivity of, 34 

initial predicate 

of a complete program, 20 
of a partial program, 24 

initial state, 13 

and refinement mapping, 36 
chosen by environment, 15 

inp, 31 



interleaving, 11, 47 
invariant, 37 

invariant under stuttering, 17 

Katz, Shmuel, 22 
Kuiper, Ruurd, 11 

Lam, Simon S., 1 
length of a behavior prefix, 48 
liveness property, 5, 13 
Lynch, Nancy, 1 

machine- closed, 22 
machine-realizable, 25 
Manna, Zohar, 22 
mid, 31 

Milner, Robin, 6 
Misra, Jayadev, 5 
monotone, 48 
monotonicity of IZ^, 18 
moves of realization game, 15 

M E , 36 
M M , 36 

next-state relation 

and refinement mapping, 37 
of a complete program, 20 
of a partial program, 24 

nondeterminism, external and in- 
ternal, 7 

normal form, 27, 30 

out, 31 

outcome, 15, 16 

fair, 16 
Owicki-Gries method, 37 

parallel composition, 32 
partial correctness, 2 



90 



Pascal, 1, 23 

Pnueli, Amir, 5, 11, 22, 35 
postconditions, 3 
preamble, 48 
preconditions, 3 
program 

abstract, 1, 27, 47 

complete, 20 

partial, 23 

semantics of, 47 

sequential, 2 
progress property, 20, 21, 24 
projection 

functions, 26 

method of, 1 
proof style, explanation of, 48 
property, 8, 12 

invariance, 37 

liveness, 5, 13 

safety, 5, 13 
prophecy variables, 38 
protocol, 3, 43 

16 

reactive systems, 3 
realizable, 15, 16 
realizable part, 15, 16 
realization game, 15 
reasoning, circular, see circular rea- 
soning 
receptive, 16 
refinement mapping, 36 
renaming, 32, 42 

S, 10 

s 8 '0), 11 
S-predicate, 10 
safety property, 5, 13 
Schneider, Fred B., 13 



sequential composition, 2, 32 
sequential program, 2 
Shankar, A. Udaya, 1 
Stark, Eugene W., 5, 16, 18 
state component 

and refinement mapping, 36 

externally observable, 26 

internal, 12, 26, 29 
state predicate, 10 

as property, 12 

is safety property, 13 
states, 6, 10, see initial state, 32 

internal, 12, 18, 26, 28, 36 

of a complete program, 20 

of a partial program, 23 

reachable, 37 

universal set of, 23, 33 

versus actions, 6 
step, 11 

stuttering, see stuttering step 
strategy, 16 
stuttering step, 12 

as internal action, 17 
stuttering-equivalence, 12 

and logic, 46 

and strategies, 17 

TA(N), 20 
TA^M), 24 
topology, 13 

transition-axiom method, 1, 10, 27 
Tuttle, Mark, 1 

W x , 26 

V(P,a), 15 

X, 26 
x, 26 

Y, 36 



91 



